-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Currently I am aware of at least 4 "PolicyKit" apps in Fedora 10 with a lot more on the way. I believe we are not treating these as the security vulnerability that they represent. Now I do NOT believe there is anything wrong with PolicyKit itself. The problems is in the apps that are using it.
Lets take a look at system-config-services. This service comes up and prompts me for the root password before I start and stop a service. That is good, works just like it did when system-config-services used consolehelper. Except for one problem, it defaults to a clicked "Remember authorization" meaning the next time I run system-config-services it will NOT prompt for the password. Now there is a check box for "This session only" But it is defaulted to off also.
So this means that I clicked "Start A service" Entered the "Root Password" and took the default. Now any process on my desktop has the ability to start and stop any service on my machine without me even knowing about it???? There also might be a bug in system-config-services communications with dbus that would allow me to spawn a root shell.
This is the equivalent or worse then a setuid app, and yet we do nothing to control the proliferation of these apps, while we shut down all apps that setuid!!!!
All PolicyKit app that requires the Admin Password should default to "For this Session Only", and potentially for this action only. Consolekit only preserved the authentication for 5 minutes, by default, now we preserve it for ever by default. The argurment can be made that consolehelper used to be allowed to permanently save the user being allowed, but this involved an admin editing a file and probably a better understanding of what he is doing.
SELinux can help a little to mitigate the risk but SELinux is not going to be running everywhere. And for something like system-config-services, SELinux can do almost nothing since the tool needs to start and stop all services which is a pretty high level of security.
Fedora Security team should be looking at all packages that get PolicyKit integration to make sure they are secure, have the correct PolicyKit authorization, and a security check should be put on the service side of the app. I think we should write lint apps to look at PolicyKit specifications and look for vulnerable xml policy. Rpmlint and RPMDiff should run this to make sure apps are secure by default.
On Thu, 2008-11-06 at 12:04 -0500, Daniel J Walsh wrote:
Lets take a look at system-config-services. This service comes up and prompts me for the root password before I start and stop a service. That is good, works just like it did when system-config-services used consolehelper.
Incidentally, a related problem with this is that as a user I have no way of knowing which application generated that pop-up dialog asking for my root password.
I may be wrong, but I don't believe there is any way whatsoever for the user to tell reliably that the pop-up dialog is legitimate. If there is a way to tell it is legitimate, it is not quite obvious enough.
The only clue I can have that I should indeed input my password is timing. If I didn't do anything mandating a request for my root password in the previous second, I'm unlikely to trust the pop-up. But this is obviously a very weak security guarantee.
As an example scenario, I believe any user application can be notified when the network connection goes up and down (through D-Bus?). Such a connection related event is probably a good time for a rogue application to display such a pop-up. (e.g. with the tendency of wireless connection to go down unexpectedly at random times).
This is not a very smart scenario, I'm sure attackers would come up with much more convincing ones, but that one would work at least on some users some of the time.
Any arbitrary code execution vulnerability in a user space application like Firefox has the potential of becoming a successful remote root exploit, just because the user got fooled.
This weakness has been present for quite a while now, I would imagine people have thought about it before. But it may be worth thinking about it again, especially in light of the recent trend to ask for you root password in new and unexpected way at odd times.
Regards, Eric.
On Thu, 06 Nov 2008 12:04:45 -0500 Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Currently I am aware of at least 4 "PolicyKit" apps in Fedora 10 with a lot more on the way. I believe we are not treating these as the security vulnerability that they represent. Now I do NOT believe there is anything wrong with PolicyKit itself. The problems is in the apps that are using it.
I see 19 packages that drop files in the policykit dir...
argyllcms-0:1.0.3-1.fc10.x86_64 ConsoleKit-0:0.3.0-2.fc10.x86_64 control-center-1:2.24.0.1-9.fc10.x86_64 DeviceKit-disks-0:002-0.git20080720.fc10.x86_64 DeviceKit-power-0:001-2.fc10.x86_64 GConf2-0:2.24.0-1.fc10.x86_64 gnome-applets-1:2.24.1-1.fc10.x86_64 gnome-lirc-properties-0:0.3.1-1.fc10.noarch gnome-panel-0:2.24.1-3.fc10.x86_64 gnome-system-monitor-0:2.24.1-1.fc10.x86_64 hal-0:0.5.12-12.20081027git.fc10.x86_64 libvirt-0:0.4.6-3.fc10.x86_64 NetworkManager-1:0.7.0-0.11.svn4229.fc10.x86_64 PackageKit-0:0.3.9-4.fc10.x86_64 pulseaudio-0:0.9.13-6.fc10.x86_64 system-config-samba-0:1.2.66-1.fc10.noarch system-config-services-0:0.99.25-1.fc10.noarch thinkfinger-0:0.3-8.fc9.x86_64
Lets take a look at system-config-services. This service comes up and prompts me for the root password before I start and stop a service. That is good, works just like it did when system-config-services used consolehelper. Except for one problem, it defaults to a clicked "Remember authorization" meaning the next time I run system-config-services it will NOT prompt for the password. Now there is a check box for "This session only" But it is defaulted to off also.
Is that default in the app config? Or in PolicyKit itself? Ah, looks like the app, so thats bad. :(
So this means that I clicked "Start A service" Entered the "Root Password" and took the default. Now any process on my desktop has the ability to start and stop any service on my machine without me even knowing about it???? There also might be a bug in system-config-services communications with dbus that would allow me to spawn a root shell.
This is the equivalent or worse then a setuid app, and yet we do nothing to control the proliferation of these apps, while we shut down all apps that setuid!!!!
All PolicyKit app that requires the Admin Password should default to "For this Session Only", and potentially for this action only. Consolekit only preserved the authentication for 5 minutes, by default, now we preserve it for ever by default. The argurment can be made that consolehelper used to be allowed to permanently save the user being allowed, but this involved an admin editing a file and probably a better understanding of what he is doing.
Perhaps a few minutes and something like when the screensaver starts it automatically removes all current auths?
SELinux can help a little to mitigate the risk but SELinux is not going to be running everywhere. And for something like system-config-services, SELinux can do almost nothing since the tool needs to start and stop all services which is a pretty high level of security.
Fedora Security team should be looking at all packages that get PolicyKit integration to make sure they are secure, have the correct PolicyKit authorization, and a security check should be put on the service side of the app. I think we should write lint apps to look at PolicyKit specifications and look for vulnerable xml policy. Rpmlint and RPMDiff should run this to make sure apps are secure by default.
Yeah, I agree.
I was going to suggest that this discussion should take place on an upstream PolicyKit list, but I can't seem to find one anywhere. ;(
kevin
security@lists.fedoraproject.org
-
Daniel J Walsh -
Eric Rannaud -
Kevin Fenzi