PackageKit policy: background and plans

James Morris jmorris at namei.org
Fri Nov 20 05:09:15 UTC 2009 

On Thu, 19 Nov 2009, Owen Taylor wrote:

> Among the decisions Richard made was allowing all users to install
> signed packages from the Fedora repositories. This was clearly the right
> behavior for the common case of a single-user system, where the only
> user is also the administrator.

I don't think this is clearly the right behavior at all.

Many users limit their use of the root account to essential system 
maintenance, and run general purpose applications as a regular 
unprivileged user.

This greatly limits the attack surface, i.e. the number of different ways 
in which a system might be compromised.  System tools are also often more 
carefully designed, less complex, better tested, and better reviewed.

I would usually not, for example, run a web browser as root, because it 
exposes a fairly complicated application to the global network.  A bug in 
the browser's HTML parser might allow a remote attacker to take control 
of my shell session with an appropriately crafted page.

I think it's fair to say that having this happen as root would generally 
be worse than it happening as an unprivileged user.  For the latter, the 
attacker would need to also then succeed with a local privilege escalation 
attack to the same effect.

With the new behavior, the attack surface is increased in several ways:

 - The local session has a new means to execute in a high privilege 
   context, i.e. that which is required to install the system itself.  
   This is a problem alone -- everything which runs in this context is 
   now a prime attack target.

 - The local session can now install any signed packages from the Fedora 
   repos:

    - I think this includes old versions of packages (correct?) with known 
      and undisclosed vulnerabilities (old packages are particularly 
      problematic because they're unmaintained)

    - It certainly includes all previously uninstalled current packages

    - Packages are installed globally, so the attack surface extends to 
      other users who may end up using them (like root, or httpd), and not 
      just the local user at the time

MAC policy can be updated without administrative privilege, breaking our 
MAC model in a fundamental way.

There are also several DoS scenarios.

> And it seemed pretty safe: Fedora isn't supposed to have packages in it 
> that are dangerous to install.

Software always has bugs, and some of those bugs will inevitably be 
security-relevant.  Ideally, no packages will be dangerous to install, but 
we know that some will be.

It is best practice to only install the packages which need to be 
installed, for this reason.

> (For example, by policy, all network services must be off by default and 
> not enabled by simply installing a package.)
 
Good.

> Executive summary
> =================
> 
> We'll make an update to the F12 PackageKit, so that the root password is
> required to install packages.

Also good :-)

Thanks for getting this resolved so quickly.


- James
-- 
James Morris
<jmorris at namei.org>

More information about the devel mailing list