Re: [Tails-dev] Feature #5301 - Clone or Backup Persistent V…

Delete this message

Reply to this message
Author: intrigeri
Date:  
To: The Tails public development discussion list
Subject: Re: [Tails-dev] Feature #5301 - Clone or Backup Persistent Volume
Andrew Gallagher wrote (10 Jan 2016 01:38:20 GMT) :
>> On 10 Jan 2016, at 00:01, intrigeri <intrigeri@???> wrote:
>>
>> In Tails, we also directly access the block device as the amnesia
>> user, since
>> /etc/udev/rules.d/99-make-removable-devices-user-writable.rules allows
>> us to do that.


> Ah, this could be the game changer. I'll look into that and see if it gives me the
> powers I need to avoid setuid (which is the source of all the problems).


Cool :)

>> On Debian/Ubuntu, we are more limited so we use some operations that
>> require administrator credentials:
>>
>> * opening the block device with udisks2, to get a filehandle for
>> writing the MBR;
>> * running syslinux as root, using pkexec.


> From what little I know of policykit, the same security caveats as setuid would usually apply...?


polkit has some minor security advantages, such as allowing us to
grant the privileges we need to the active session user only, and
requiring user consent in a way that's integrated in the desktop.

Cheers,
--
intrigeri