On Thu, 06 Nov 2008 12:04:45 -0500
Daniel J Walsh <dwalsh(a)redhat.com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Currently I am aware of at least 4 "PolicyKit" apps in Fedora 10 with
a lot more on the way. I believe we are not treating these as the
security vulnerability that they represent. Now I do NOT believe
there is anything wrong with PolicyKit itself. The problems is in
the apps that are using it.
I see 19 packages that drop files in the policykit dir...
argyllcms-0:1.0.3-1.fc10.x86_64
ConsoleKit-0:0.3.0-2.fc10.x86_64
control-center-1:2.24.0.1-9.fc10.x86_64
DeviceKit-disks-0:002-0.git20080720.fc10.x86_64
DeviceKit-power-0:001-2.fc10.x86_64
GConf2-0:2.24.0-1.fc10.x86_64
gnome-applets-1:2.24.1-1.fc10.x86_64
gnome-lirc-properties-0:0.3.1-1.fc10.noarch
gnome-panel-0:2.24.1-3.fc10.x86_64
gnome-system-monitor-0:2.24.1-1.fc10.x86_64
hal-0:0.5.12-12.20081027git.fc10.x86_64
libvirt-0:0.4.6-3.fc10.x86_64
NetworkManager-1:0.7.0-0.11.svn4229.fc10.x86_64
PackageKit-0:0.3.9-4.fc10.x86_64
pulseaudio-0:0.9.13-6.fc10.x86_64
system-config-samba-0:1.2.66-1.fc10.noarch
system-config-services-0:0.99.25-1.fc10.noarch
thinkfinger-0:0.3-8.fc9.x86_64
Lets take a look at system-config-services. This service comes up
and
prompts me for the root password before I start and stop a service.
That is good, works just like it did when system-config-services used
consolehelper. Except for one problem, it defaults to a clicked
"Remember authorization" meaning the next time I run
system-config-services it will NOT prompt for the password. Now there
is a check box for "This session only" But it is defaulted to off
also.
Is that default in the app config? Or in PolicyKit itself?
Ah, looks like the app, so thats bad. :(
So this means that I clicked "Start A service" Entered the
"Root
Password" and took the default. Now any process on my desktop has the
ability to start and stop any service on my machine without me even
knowing about it???? There also might be a bug in
system-config-services communications with dbus that would allow me to
spawn a root shell.
This is the equivalent or worse then a setuid app, and yet we do
nothing to control the proliferation of these apps, while we shut
down all apps that setuid!!!!
All PolicyKit app that requires the Admin Password should default to
"For this Session Only", and potentially for this action only.
Consolekit only preserved the authentication for 5 minutes, by
default, now we preserve it for ever by default. The argurment can
be made that consolehelper used to be allowed to permanently save the
user being allowed, but this involved an admin editing a file and
probably a better understanding of what he is doing.
Perhaps a few minutes and something like when the screensaver starts it
automatically removes all current auths?
SELinux can help a little to mitigate the risk but SELinux is not
going to be running everywhere. And for something like
system-config-services, SELinux can do almost nothing since the tool
needs to start and stop all services which is a pretty high level of
security.
Fedora Security team should be looking at all packages that get
PolicyKit integration to make sure they are secure, have the correct
PolicyKit authorization, and a security check should be put on the
service side of the app. I think we should write lint apps to look
at PolicyKit specifications and look for vulnerable xml policy.
Rpmlint and RPMDiff should run this to make sure apps are secure by
default.
Yeah, I agree.
I was going to suggest that this discussion should take place on an
upstream PolicyKit list, but I can't seem to find one anywhere. ;(
kevin