clock riddle

Gregory Maxwell gmaxwell at gmail.com
Tue Feb 24 15:12:52 UTC 2009


On Tue, Feb 24, 2009 at 9:50 AM, Matthias Clasen <mclasen at redhat.com> wrote:
> On Tue, 2009-02-24 at 08:18 -0600, Chris Adams wrote:
>> Once upon a time, Chris Adams <cmadams at hiwaay.net> said:
>> > What mechanism is there to keep track of these policies?  There should
>> > be a Fedora policy to control RPMs adding new policies to PolicyKit.  As
>> > a system admin, I look for setuid/setgid binaries and open sockets, but
>> > now there's a new method to bypass that for root-level access.
>>
>> As a follow-up, I see on F10 that a user can also increase their process
>> priority level (which is normally a privilege reserved for root).  This
>> is often useful in timing attacks and should not be allowed.
>>
>> If I'm reading the policy right, users can change PackageKit proxy
>> settings and force a refresh of metadata.  How much has PackageKit's
>> (and yum's) code been audited for security?  If I can point it at a
>> proxy and force it to download data, how secure is it against attack
>> (e.g. via corrupted data)?
>>
>
> Can we please try to stay realistic here.
> We are talking about default settings for a desktop system, where users
> are expected to be able to update their systems.

Chris' proposed attack pattern is not so different from being able to
LD_PRELOAD ahead of running a SUID binary.

I find it somewhat amusing that so much work was done to eliminate
extraneous SUID binaries in the system but then policykit was added
which carries with it the risk of parallel classes of security
vulnerabilities.  Policykit is a neat and useful feature, but it needs
to be treated with the same strict scrutiny that other SUID mechanisms
are.  The current default security settings for time are a sign that
important things were overlooked.




More information about the test mailing list