ACC SHELL
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>PolicyKit Model</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.75.2">
<link rel="home" href="index.html" title="PolicyKit Library Reference Manual">
<link rel="up" href="ref-design.html" title="Design Overview">
<link rel="prev" href="intro-define-problem.html" title="Defining the Problem">
<link rel="next" href="model-concepts.html" title="Concepts">
<meta name="generator" content="GTK-Doc V1.14 (XML mode)">
<link rel="stylesheet" href="style.css" type="text/css">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<table class="navigation" id="top" width="100%" summary="Navigation header" cellpadding="2" cellspacing="2"><tr valign="middle">
<td><a accesskey="p" href="intro-define-problem.html"><img src="left.png" width="24" height="24" border="0" alt="Prev"></a></td>
<td><a accesskey="u" href="ref-design.html"><img src="up.png" width="24" height="24" border="0" alt="Up"></a></td>
<td><a accesskey="h" href="index.html"><img src="home.png" width="24" height="24" border="0" alt="Home"></a></td>
<th width="100%" align="center">PolicyKit Library Reference Manual</th>
<td><a accesskey="n" href="model-concepts.html"><img src="right.png" width="24" height="24" border="0" alt="Next"></a></td>
</tr></table>
<div class="chapter" title="PolicyKit Model">
<div class="titlepage"><div><div><h2 class="title">
<a name="model"></a>PolicyKit Model</h2></div></div></div>
<div class="toc"><dl>
<dt><span class="sect1"><a href="model.html#model-mechanism-vs-policy">Mechanims vs. Policy</a></span></dt>
<dt><span class="sect1"><a href="model-concepts.html">Concepts</a></span></dt>
<dt><span class="sect1"><a href="model-theory-of-operation.html">Theory of Operation</a></span></dt>
<dt><span class="sect1"><a href="model-authentication-agent.html">Authentication Agent</a></span></dt>
</dl></div>
<div class="sect1" title="Mechanims vs. Policy">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="model-mechanism-vs-policy"></a>Mechanims vs. Policy</h2></div></div></div>
<p>
PolicyKit assumes a model where a program is split into two
parts. One part, the Mechanism, runs privileged (with no user
interface elements) and the other part, the policy agent, runs
unprivileged. The two parts of the program are in different
processes and communicate through some IPC mechanism such as
pipes or the system message bus (D-Bus). In some instances the
Mechanism can be considered part of the core OS and the policy
agent part of the desktop stack.
</p>
<p>
</p>
<p>
A Mechanism should never trust any application that tries to
use; it needs to carefully verify all data and requests passed
to it from the application. This is the model employed by HAL
and NetworkManager:
</p>
<p>
<img src="diagram-bus-model.png">
</p>
<p>
This model is not by any means restricted to applications using
D-Bus; it applies to most other security sensitive
applications. For example, the PAM module for checking your
password can run unprivileged and uses a simple and easy to
audit privileged helper
application, <code class="literal">/sbin/unix_chkpwd</code> on Red Hat
systems, to actually check the password
against <code class="literal">/etc/shadow</code>. In a similar fashion,
all
<a class="ulink" href="http://en.wikipedia.org/wiki/Setuid" target="_top">setuid
root</a> applications carefully check (or at least
should) incoming parameters and the environment in which
they are launched.
</p>
<p>
In general, such an architecture is thought of as secure as long
as the Mechanism (and it's dependent libraries) have been
verified to be secure.
</p>
</div>
</div>
<div class="footer">
<hr>
Generated by GTK-Doc V1.14</div>
</body>
</html>
ACC SHELL 2018