4
:term:`PlainBox` is started without any privilege.
5
But several tests need to start commands requiring privileges.
7
Such tests will call a trusted launcher, a standalone script
8
which does not depend on the :term:`PlainBox` core modules.
9
`polkit <http://www.freedesktop.org/wiki/Software/polkit>`_
10
will control access to system resources.
11
The trusted launcher has to be started using
12
`pkexec <http://www.freedesktop.org/software/polkit/docs/0.105/pkexec.1.html>`_
13
so that the related policy file works as expected.
15
To avoid a security hole that allows anyone to run anything as root,
16
the launcher can only run jobs installed in a system-wide directory.
17
This way we are not weaken the trust system as root access is required
18
to install both components (the trusted runner and jobs).
19
The :term:`PlainBox` process will send an identifier which is matched by a well-known
20
list in the trusted launcher. This identifier is the job hash:
24
$ pkexec trusted-launcher JOB-HASH
26
See :meth:`plainbox.impl.secure.checkbox_trusted_launcher.BaseJob.get_checksum()` for details about job hashes.
31
Available authentication methods
32
--------------------------------
36
Only applicable to the package version of PlainBox
38
PlainBox comes with two authentication methods but both aim to retain the
39
granted privileges for the life of the :term:`PlainBox` process.
41
* The first method will ask the password only once and show the following
42
agent on desktop systems (a text-based agent is available for servers):
46
+-----------------------------------------------------------------------------+
48
+-----------------------------------------------------------------------------+
50
| [Icon] Please enter your password. Some tests require root access to run |
51
| properly. Your password will never be stored and will never be |
52
| submitted with test results. |
54
| An application is attempting to perform an action that requires |
56
| Authentication as the super user is required to perform this action. |
58
| Password: [________________________________________________________] |
61
| Action: org.freedesktop.policykit.pkexec.run-plainbox-job |
64
| [Cancel] [Authenticate] |
65
+-----------------------------------------------------------------------------+
67
The following policy file has to be installed in :file:`/usr/share/polkit-1/actions/`
69
Asking the password just one time and keeps the authentication for forthcoming
70
calls is provided by the **allow_active** element and the **auth_admin_keep** value.
72
Check the `polkit actions <http://www.freedesktop.org/software/polkit/docs/0.105/polkit.8.html#polkit-declaring-actions>`_
73
documentation for details about the other parameters.
77
<?xml version="1.0" encoding="UTF-8"?>
78
<!DOCTYPE policyconfig PUBLIC
79
"-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
80
"http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
83
<vendor>PlainBox</vendor>
84
<vendor_url>https://launchpad.net/checkbox</vendor_url>
85
<icon_name>checkbox</icon_name>
87
<action id="org.freedesktop.policykit.pkexec.run-plainbox-job">
88
<description>Run Job command</description>
89
<message>Authentication is required to run a job command.</message>
91
<allow_any>no</allow_any>
92
<allow_inactive>no</allow_inactive>
93
<allow_active>auth_admin_keep</allow_active>
95
<annotate key="org.freedesktop.policykit.exec.path">/usr/bin/checkbox-trusted-launcher</annotate>
96
<annotate key="org.freedesktop.policykit.exec.allow_gui">TRUE</annotate>
101
* The second method is only intended to be used in headless mode (like `SRU`).
102
The only difference with the above method is that **allow_active** will be set to **yes**.
106
The two policy files are available in the PlainBox :file:`contrib/` directory.
108
Environment settings with pkexec
109
--------------------------------
111
`pkexec <http://www.freedesktop.org/software/polkit/docs/0.105/pkexec.1.html>`_
112
allows an authorized user to execute a command as another user.
113
But the environment that ``command`` will run it, will be set to a minimal known
114
and safe environment in order to avoid injecting code through ``LD_LIBRARY_PATH``
115
or similar mechanisms.
117
However, some jobs commands require specific enviroment variables such as the
118
name of an access point for a wireless test. Those kind of variables must be
119
available to the trusted launcher.
120
To do so, the enviromment mapping is sent to the launcher like key/value pairs
121
are sent to the env(1) command:
125
$ pkexec trusted-launcher JOB-HASH [NAME=VALUE [NAME=VALUE ...]]
127
Each NAME will be set to VALUE in the environment given that they are known
128
and defined in the :ref:`JobDefinition.environ <environ>` parameter.
130
Checkbox trusted launcher
131
^^^^^^^^^^^^^^^^^^^^^^^^^
133
The checkbox trusted launcher is the minimal code needed to be able to run a
134
:term:`CheckBox` job command.
136
It offers base classes for the following core subclasses:
138
* :class:`plainbox.impl.rfc822.RFC822Record`
139
* :class:`plainbox.impl.job.JobDefinition`
141
The only duplicated code is the RFC822 parser, where all logging features have
144
The :class:`plainbox.impl.secure.checkbox_trusted_launcher.Runner` class just
145
executes the command process with :py:func:`os.execve`.
147
Internally the checkbox trusted launcher looks for jobs in the system locations defined in
148
:attr:`plainbox.impl.secure.checkbox_trusted_launcher.Runner.CHECKBOXES` which defaults to :file:`/usr/share/checkbox*`.
149
This way the launcher can match all :term:`CheckBox` variants, like ``checkbox-oem(-.*)?``
156
checkbox-trusted-launcher [-h] (--hash HASH | --warmup)
157
[--via LOCAL-JOB-HASH]
158
[NAME=VALUE [NAME=VALUE ...]]
160
positional arguments:
161
NAME=VALUE Set each NAME to VALUE in the string environment
164
-h, --help show this help message and exit
165
--hash HASH job hash to match
166
--warmup Return immediately, only useful when used with
168
--via LOCAL-JOB-HASH Local job hash to use to match the generated job
172
Check all job hashes with ``plainbox special -J``
174
As stated in the polkit chapter, only a trusted subset of the environment mapping
175
will be set using :py:func:`os.execve` to run the command.
176
Only the variables defined in the job environ property are allowed to avoid
177
compromising the root environment.
178
Needed modifications like adding ``CHECKBOX_SHARE`` and new paths to scripts are
179
managed by the checkbox-trusted-launcher.
181
Authentication on PlainBox startup
182
----------------------------------
184
To avoid prompting the password at the first test requiring privileges, :term:`PlainBox`
185
will call the ``checkbox-trusted-launcher`` with the ``--warmup`` option.
186
It's like a NOOP and it will return immediately, but thanks to the installed policy file
187
the authentication will be kept.
191
When running the development version from a branch, the usual polkit
192
authentication agent will pop up to ask the password each and every time.
193
This is the only difference.
195
Special case of jobs using the CheckBox local plugin
196
----------------------------------------------------
198
For jobs generated from :ref:`local <local>` jobs (e.g. disk/read_performance.*)
199
the trusted launcher is started with ``--via`` meaning that we have to first
200
eval a local job to find a hash match.
201
Once a match is found, the job command is executed using :py:func:`os.execve`.
205
$ pkexec checkbox-trusted-launcher --hash JOB-HASH --via LOCAL-JOB-HASH
209
it will obviously fail if any local job can ever generate another local job.