When you switch to msec SECURE mode, halt/poweroff/reboot are removed and can't be used by regular users. If you set ALLOW_REBOOT=yes in /etc/security/msec/security.conf to re-enable those, it wrongly re-creates those symlinks pointing to consolehelper, which used to be correct, but no longer is and no longer works. It should point to ../bin/systemctl as the systemd package installs them. Reproducible: Steps to Reproduce:
CC: (none) => mageia, thierry.vignaudWhiteboard: (none) => MGA5TOO
Component: Security => RPM PackagesQA Contact: security => (none)
Hardware: i586 => All
CC: (none) => mageia
At installation, /usr/bin/shutdown already point to consolhelper, with a date of creation the date of installation. I confirm the alteration of halt and poweroff commands. I will propose a patch for this problem. But the question of shutdown must be clarified.
CC: (none) => yves.brungard_mageia
Ahh, looks like a bug in the systemd package, it's not owning /usr/bin/shutdown. None of the packages have scriplets that are creating that link, so I don't know where it's coming from.
Created attachment 6935 [details] Use systemctl instead of consolehelper Here a patch to restore the link to ../bin/systemctl instead of consolehelper. It applies to: halt reboot shutdown poweroff Note that the poweroff at start is linked to consolehelper (fresh install).
(In reply to papoteur from comment #3) > Note that the poweroff at start is linked to consolehelper (fresh install). Read "shutdown" instead of poweroff.
If you've tested this patch, just commit it into git
Keywords: (none) => PATCH
commit da3c537d80fa90c27a3ff9f2c80082a51d1dbd2c Author: SARL ENR 68 <david@...> Date: Fri Aug 28 20:18:29 2015 +0200 Use systemctl instead of consolehelper (mga#16084) - by papoteur: https://bugs.mageia.org/attachment.cgi?id=6935 --- Commit Link: http://gitweb.mageia.org/software/msec/commit/?id=da3c537d80fa90c27a3ff9f2c80082a51d1dbd2c
(In reply to David Walser from comment #0) > When you switch to msec SECURE mode, halt/poweroff/reboot are removed and > can't be used by regular users. FWIW, then we would probably also need to patch msec to disable "systemctl reboot" and "systemctl poweroff" when switching to SECURE mode as that is by default allowed for regular users - that is, if you have an active logind session, and it is done without consulting polkit AFAIU. See e.g. https://wiki.archlinux.org/index.php/Allow_users_to_shutdown or in much more detail at http://unix.stackexchange.com/a/209839/83329
CC: (none) => doktor5000
commit ed6bc6f637c308693795fabe1d6fd9cfb095ac69 Author: Papoteur <papoteur@...> Date: Sun Apr 17 11:35:47 2016 +0200 Use systemctl instead of consolehelper (mga#16084) --- Commit Link: http://gitweb.mageia.org/software/msec/commit/?id=ed6bc6f637c308693795fabe1d6fd9cfb095ac69
How to test : First state: $ ls -l /usr/bin/poweroff lrwxrwxrwx 1 root root 16 oct. 4 2015 /usr/bin/poweroff -> ../bin/systemctl $ ls -l /usr/bin/halt lrwxrwxrwx 1 root root 16 oct. 4 2015 /usr/bin/halt -> ../bin/systemctl $ ls -l /usr/bin/reboot lrwxrwxrwx 1 root root 16 oct. 4 2015 /usr/bin/reboot -> ../bin/systemctl $ ls -l /usr/bin/shutdown lrwxrwxrwx 1 root root 13 juin 6 2014 /usr/bin/shutdown -> consolehelper (the last one is not attempted, but there is another bug) In msec, before applying the release 1.15: set ALLOW_REBOOT=no Previous command should disappear. Then set ALLOW_REBOOT=yes each previous command is linked to consolehelper After applying the release 1.15 set ALLOW_REBOOT=no Previous command should disappear. Then set ALLOW_REBOOT=yes each previous command is linked to ../bin/systemctl
Advisory set ALLOW_REBOOT=no then yes restores poweroff, halt, shutdown and reboot to ../bin/systemctl instead of consolehelper.
Definitely a step forward, however, this is not secure. The direct commands are just shortcuts to running "systemct poweroff|halt|reboot|shutdown". The fact that shortcuts disappear does not prevent the user from running the slightly longer versions. Really all MSEC should do is adjust the policykit policy on these actions and always leave the links in place. They would either work or not according to user permissions while still allowing admins the luxury of the shortcuts (and bin vs. sbin is not the answer here to that!). Draksec does something similar to allow configuration of which tools can run without root privs. It writes out an auth function and then the rules check the results of that function. See the code in draksec binary (perl) for how/where it writes the polkit auth function and the file org.mageia.draksec.rules for how it's used. You could do something similar to control these commands in systemd (overriding the default policies). This would be the correct way to solve this problem, removal of the symlinks is not enough.
Thanks Colin for pointing the way do to it better. I will have a look, although I'm not Perl fluent. Papoteur
Thanks to both of you. If you do enhance this as Colin suggested, please ensure that it does still restore the symlinks if they're missing.
Blocks: (none) => 18159
Blocks: 18159 => (none)Depends on: (none) => 18159
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGAA-2016-0067.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED