usbguard icon indicating copy to clipboard operation
usbguard copied to clipboard

Published 20 hours ago verified publisher icon USBGuard

configuration fails without polkit

Open anudeepthika opened this issue 3 years ago • 9 comments

Configuring usbguard without polkit is failing with the below error.

configure: error: Required D-Bus modules (dbus-1, gio-2.0) not found!

The above error is encountered due to the commit 2c8c1ae10a6330736bf2a2d7d8682674b1db47dc. Can someone help me with a solution to skip this error while configuring without polkit?

anudeepthika avatar Feb 16 '22 10:02 anudeepthika

Hi @anudeepthika, there is no way to use usbguard-dbus safely without talking to Polkit so enabling D-Bus support "rightfully" pulls in that dependency now. Regarding --with-polkit, it is documented as…

# ./configure --help | fgrep -- --with-polkit
  --with-polkit           Install the PolicyKit configuration if D-Bus support

…which seems correct, while name --with-polkit may indeed be a bit misleading now.

What do you think?

hartwork avatar Feb 16 '22 15:02 hartwork

PS @anudeepthika maybe I should be more explicit that I'd be happy to understand your concern and situation better, and then discuss options for improval. In particular: Is a dependency on Polkit a problem in your environment?

hartwork avatar Feb 18 '22 19:02 hartwork

Hi @hartwork,

Thank you for your response. Sorry for my delay in replying back. I was analyzing the polkit impact on our environment.

In an Embedded System, different constraints with regards to policy enforcement would be implemented, and having polkit in our environment is throwing conflicts.

Could you please provide "--without-polkit" option so that polkit can be disabled depending on the use case and still remain enabled by default?

anudeepthika avatar Feb 21 '22 10:02 anudeepthika

@anudeepthika that helps, but I still have questions, to be sure I understand the full picture and our options:

  • Do you need --with-dbus and USBGuard DBus functionality enabled in that environment?
  • Do you have a Polkit daemon running in that environment?
  • Is adjusting the Polkit policy file to e.g. allow use of USBGuard D-Bus methods to any user on the system without interactive authorization an option? (That would require no changes in Git.)

hartwork avatar Feb 21 '22 17:02 hartwork

Hi @hartwork,

There is no polkit daemon running in our environment and enabling it, is making a huge impact. I request --with-dbus, USBGuard DBus functionality enabled without polkit

anudeepthika avatar Feb 22 '22 05:02 anudeepthika

Hi @anudeepthika ,

I guess then maybe the best way forward would be to introduce a new configure option --with(out)-dbus-security that defaults to enabled and have that control a C++ preprocessor macro that makes DBusBridge::isAuthorizedByPolkit always return true and print a warning when disabled, and do it's regular current job when enabled.

Best, Sebastian

hartwork avatar Feb 22 '22 14:02 hartwork

PS: The idea with --without-dbus-security naming is that making that^^ part of --without-polkit would do nothing to warn the user that operation with D-Bus but without talking to Polkit is not something secure for e.g. a regular desktop environment. I consider that essential.

hartwork avatar Feb 22 '22 15:02 hartwork

There is no polkit daemon running in our environment and enabling it, is making a huge impact.

@anudeepthika could you elaborate what kind of impact enabling the daemon would have?

hartwork avatar Feb 22 '22 19:02 hartwork

Why do you need the dbus so bad? If you don't want polkit on your system you can just stay with usbguard CLI and IPC perms.

radosroka avatar Feb 23 '22 11:02 radosroka