I just noticed something that seems weird to me: in Mate Tweak, it’s possible to save a specific panels layout. I had never tried the feature so far and I expected it to save the layout somewhere in ~/.config but it looks like it’s done in /usr/share/mate-panel/layouts as root. I am really surprised that a tweaking software has admin rights without asking for the user password.
Is it normal? isn’t there potential security issues?
I’m not the developer who wrote this, so I don’t really know the full story behind this.
It occurred to me too that’s slightly odd a user’s configuration is stored system wide. There shouldn’t be too much concern over security as it literally creates/modifies a file in the code in a privileged location, where the other default panels are. Presumably the developer did that to simplify the code rather than having to look in two places.
There shouldn't be too much concern over security as it literally creates/modifies a file in the code in a privileged location, where the other default panels are.
Sure, but I'm not concerned about the behaviour of Mate Tweak as much as an eventual exploit through it because of a bug that would escalate a random user to root privileges system-wide.
IMO, user softwares that have root access should be especially rare and their developers should be extra careful about security, I don't really expect a tweak tool to have them.
if for one reason or another elevated privileges are required, then the user should be prompted to authenticate as admin and only that small piece of code should run elevated
This definitely warrants a closer look, the current behaviour of MATE Tweak sure smells fishy.
I dug around a bit more, and the root access works via invoking /usr/bin/pkexec, which is part of the PolicyKit framework.
It allows to run a process as another user, which based on certain policy settings can happen without being prompted.
If I run pkexec /usr/lib/mate-tweak/install-mate-panel-layout directly from a terrminal, it would ask me to authenticate, yet MATE-Panel is apparently allowed to do that specific call without prompting the user.
This is configured in /usr/share/polkit-1/actions/org.mate.mate-tweak.policy.
To be honest, I’m not really a fan that this auto-elevation mechanism even exists. I know there is always this tradeoff of security vs. convenience, and I very much lean towards the former.
Oh, and by the way, while removing that policy file does restore the authentication prompt, canceling the dialog causes MATE-Tweak to still announce it successfully saved the panel layout because it was written based on the assumption it would always have the rights to…
That’s what I assumed, as I don’t think there is another way to easily grant admin access to an user app. Still, I don’t think this should be used for a tweaking app, which is supposed to handle user settings only and not fiddle with the system.
PolicyKit is also used in the Software Boutique and Software Updater (Ubuntu) off top of my head, although, I only thought it needed authentication if it hasn't performed an action that session or for a set period of time. (Like why do some updates install without prompting, and other days asks for a password?)
This is just a guess, but it sounds like MATE Tweak is in need of some checks whether the action was completed successfully or not.
But with some tweaks, this program wouldn't even need root access if it stored the panels to the users directories instead.