PackageKit policy: background and plans
James Morris
jmorris at namei.org
Fri Nov 20 05:09:15 UTC 2009
On Thu, 19 Nov 2009, Owen Taylor wrote:
> Among the decisions Richard made was allowing all users to install
> signed packages from the Fedora repositories. This was clearly the right
> behavior for the common case of a single-user system, where the only
> user is also the administrator.
I don't think this is clearly the right behavior at all.
Many users limit their use of the root account to essential system
maintenance, and run general purpose applications as a regular
unprivileged user.
This greatly limits the attack surface, i.e. the number of different ways
in which a system might be compromised. System tools are also often more
carefully designed, less complex, better tested, and better reviewed.
I would usually not, for example, run a web browser as root, because it
exposes a fairly complicated application to the global network. A bug in
the browser's HTML parser might allow a remote attacker to take control
of my shell session with an appropriately crafted page.
I think it's fair to say that having this happen as root would generally
be worse than it happening as an unprivileged user. For the latter, the
attacker would need to also then succeed with a local privilege escalation
attack to the same effect.
With the new behavior, the attack surface is increased in several ways:
- The local session has a new means to execute in a high privilege
context, i.e. that which is required to install the system itself.
This is a problem alone -- everything which runs in this context is
now a prime attack target.
- The local session can now install any signed packages from the Fedora
repos:
- I think this includes old versions of packages (correct?) with known
and undisclosed vulnerabilities (old packages are particularly
problematic because they're unmaintained)
- It certainly includes all previously uninstalled current packages
- Packages are installed globally, so the attack surface extends to
other users who may end up using them (like root, or httpd), and not
just the local user at the time
MAC policy can be updated without administrative privilege, breaking our
MAC model in a fundamental way.
There are also several DoS scenarios.
> And it seemed pretty safe: Fedora isn't supposed to have packages in it
> that are dangerous to install.
Software always has bugs, and some of those bugs will inevitably be
security-relevant. Ideally, no packages will be dangerous to install, but
we know that some will be.
It is best practice to only install the packages which need to be
installed, for this reason.
> (For example, by policy, all network services must be off by default and
> not enabled by simply installing a package.)
Good.
> Executive summary
> =================
>
> We'll make an update to the F12 PackageKit, so that the root password is
> required to install packages.
Also good :-)
Thanks for getting this resolved so quickly.
- James
--
James Morris
<jmorris at namei.org>
More information about the devel
mailing list