bit-team
Use polkit rules instead of running app as root
I think backintime graphical interface should always be started under non-root account and use polkit rules for running only specific commands (like rsync) which need special privileges.
Running graphical apps as root is considered insecure https://www.youtube.com/watch?v=-T1LoHTZDvs https://www.reddit.com/r/kde/comments/5l35db/how_can_you_enable_root_access_in_dolphin/
It will also fix behaviour under wayland https://github.com/bit-team/backintime/issues/640
A comment in the above reddit link contains a dead link to a recommended video by Martin Graesslin at QCon 2016. It can be found here now:
The pity state of Linux desktop security
Edit: I have just realized that my new link shows the same video as the above youtube link (but perhaps more privacy friendly ;-)
Analysis
Running BiT with sudo or another "root-granting" starter like pkexex provides full root privileges to the whole application. These privileges can be exploited to perform unauthorized operations, thereby creating a security incident.
polkit is
- an application-level framework
- to handle the security policy of an application running in user-space
- by configuring, controlling, and logging most security-related operations in a flexible manner.
Linux user space applications running in the lower privilege can request the Polkit framework to carry out the actions which require security privileges.
An introduction into why and how polkit see this link:
https://www.timesys.com/security/linux-polkit-implementing-user-space-authorization-on-embedded-platforms/
To enable Polkit for Bit two major steps are required:
- create and install a .policy file into
/usr/share/polkit-1/actionsdirectory - use the
PolkitAPI viaD-Busor a library
For details see: https://www.freedesktop.org/software/polkit/docs/latest/
Furthermore we need to check if all supported distros are compatible with our Polkit implementation.
Special care must be taken for headless systems where asking the user is not possible (eg. when backintime is run via cron).
I don't have expertise in that area. But if you need you could ask the distro maintainers for an advice. And I assume that there is also a solution for headless systems.
For Debian I would suggest to start at the debian-python mailing list or maybe at debian-security. The first list is also the home of the "Debian Python Packaging Team" and nearly all Python package maintainers.
Currently I am just triaging to estimate the impact and find related issues (here eg. wayland) that could benefit from fixing this
Linux user space applications running in the lower privilege can request the Polkit framework to carry out the actions which require security privileges.
I like the idea that going down this road might allow us to eliminate the separate "Back In Time (root)" launcher that backintime ships as a .desktop file. Currently, most users use it to backup systems files that are not accessible to their user (e.g. in /etc or /var).
use it to backup systems files that are not accessible to their user (e.g. in /etc or /var).
Very interesting aspect! I am not sure if Polkit can support this easily but separating the GUI from the CLI could achieve this:
- GUI runs without root or requests only access rights when files are accessed
- BiT CLI could run with root rights via
pkexecsince it doesn't use wayland (nor any GUI).
Separating the frontend from the backend + introducing Polkit is an immense amount of work so I currently strongly prefer to implement the already discussed and proved work-around with xhost +si:localuser:root (see #1349). The closed (not merged) PR https://github.com/bit-team/backintime/pull/1347/files looks like a good basis for a wayland work-around.
BiT already use Polkit. Take a look at qt/net.launchpad.backintime.policy. But to use this for all needed operations would result in a rewrite of the GUI
Not sure which milestone I should set for this Issue.
I see this very far away (until other major issues are fixed)