PackageKit policy: background and plans

James Antill james at fedoraproject.org
Tue Nov 24 20:49:27 UTC 2009 

On Tue, 2009-11-24 at 14:22 -0500, Peter Jones wrote:
> On 11/23/2009 07:01 PM, Gregory Maxwell wrote:
> > On Mon, Nov 23, 2009 at 6:43 PM, Jesse Keating <jkeating at j2solutions.net> wrote:
> >> This is precisely the dialog that has been removed from F12 and is not
> >> planned to be returned.
> > 
> > My understanding was that this was removed because collecting the root password
> > during a user session is insecure because there could be a sniffer or the dialog
> > could be faked.
> 
> That reason isn't /quite/ right.  One big problem is that if you train a
> user to input the root password over and over, what he learns is to type
> the root password into a dialog box.  The result is that when some
> non-privileged application asks for the root password so it can do bad
> things with it later, the user will type in the root password, and voila,
> a local attack against a user is now a root exploit.

 Sure, that's _a_ problem ... assuming the user has been trained. But
that's a _big_ assumption, esp. when we are only talking about
installing _new_ packages (doesn't happen often, so the user isn't
trained to accept it).
 But, of course, taking advantage of a user trained to input a password
without thinking is not the only attack ... another area of attack would
be when you have an assumed small privilege escalation, that has no
authentication (hence this thread).

> The way around this is role-based privileges, which is what polkit is
> implementing

 In so far as "role-based privileges" is code for "can be configured to
N number of actual checks, including the auth_as_root check we are
comparing it against". Then sure, it has to be at least as secure as
auth_as_root because it can be auth_as_root¹.
 But suggesting that whatever polkit is configured to use is
automatically better than auth_as_root is, at best, misleading.

 Personally I don't think _anyone_ knows "how to make a usable and thus.
in practice secure desktop". So some of the comments I've read saying
basically "We know X is insecure, so we are now using Y which is
secure/better" are not helping (in fact I'd suggest that this mindset is
what lead to this problem initially).


¹ Noting that polkit force removed the "remember auth" option, for no
particularly sane reason that I've seen ... so if that option turns out
to be "the best" option, then role-based privileges has (at least
currently) hurt security.

-- 
James Antill <james at fedoraproject.org>
Fedora

More information about the devel mailing list