PolicyKit is an application-level toolkit for defining and handling the policy that allows unprivileged processes to speak to privileged processes: It is a framework for centralizing the decision making process with respect to granting access to privileged operations for unprivileged applications. PolicyKit is specifically targeting applications in rich desktop environments on multi-user UNIX-like operating systems. It does not imply or rely on any exotic kernel features.
History and Prior Art
Traditionally UNIX-like operating systems have a clear distinction between ordinary unprivileged users and the almight and powerful super user ‘root’. However, in order for a user to access and configure hardware additional privileges and rights are needed. Hitherto, this have been done in a number of often OS-specific ways. For example, Red Hat based systems usually grant access to devices to a user if, and only if, the user is logged in at a local console. In contrast, Debian-based systems often relies on group membership, e.g. users in the ‘cdrom’ group can access optical drives, users in the ‘plugdev’ group can mount removable media and so on.
In addition, access was not only granted to devices; Red Hat-based systems, for example, provides a mechanism to allow a user at a local system to run certain applications (such as the system-config-* family) as the super user provided they could authenticate as the super user (typically by entering the root password using a graphical utility). Other distributions rely on sudo (with various graphical frontends) to provide similar functionality. Both the pam-console and sudo approaches doesn’t require applications to be modified.
Finally, some classes of software (such as HAL, NetworkManager and gnome-system-tools) utilizes IPC mechanism (typically D-Bus) to provide a very narrow and well-defined subset of privileged operations to unprivileged desktop applications. It varies what mechanism is used to deny users.
Defining the Problem
There’s a couple of problems with the mechanisms described in the section called “History and Prior Art”.
Mechanisms are coarsely grained: either you’re at the console or you’re not (pam_console). Either you’re a member of a group or you’re not (Debian). There is no easy way to specify that only a subset of privileged operations should be available for a given user (e.g. it’s hard to express “it’s fine to mount removable media; it’s not fine to mount fixed media; it’s not fine to change the timezone” in a coherent way).
The way most people use pam-console and sudo is fundamentally broken. Full-fledged GTK+ or Qt applications run as the super user which means that millions of line of code (including code such as image loaders that historically have lots of security problems) runs privileged. This is in direct violation of the well-known “least privilege” principle. In addition, often applications look out of place because settings in such programs now read per-user settings from root’s home directory.
UNIX group membership have always been problematic; if a user is a member of a group once, he can always become member of the group again (copy
/bin/bash to $HOME; chown to group, set the setgid bit, done).
It is difficult for upstream projects (such as GNOME or KDE) to implement features that requires administrative privileges because most downstream consumers (e.g. operating systems) have different ways of implementing access control. As a result most of these features are punted to OS distributors who have their own code for doing the same thing e.g. setting the date/timezone etc.; there is no way for file sharing applications (such as gnome-user-share, Banshee, Rhythmbox) to punch a hole in the firewall.
Without a centralized framework, access control configuration is often scattered throughout the system which makes it hard for system administrators to grasp how to configure the system. There’s literally a bunch of different configuration files all with different formats and semantics.