Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 23, 2013
An "enum" for Python 3
An unexpected perf feature
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
Looks like the Fedora crowd now have their very own WTF, so I don't feel so bad.
Fedora 12 lets unprivileged users install packages
Posted Nov 19, 2009 0:59 UTC (Thu) by airlied (subscriber, #9104)
Posted Nov 19, 2009 12:00 UTC (Thu) by dskoll (subscriber, #1630)
For example: Many RPMs have scriptlets that run on installation or upgrade. Have any of these scripts been designed to be secure in the face of a malicious local non-root user, who can do things like manipulate the environment, etc? Of course not, because the package maintainers rightly assume that anyone installing a package has root access anyway, so they don't need to protect against the possibility of a local user gaining root access.
This move gives malicious users several thousand new, juicy targets.
Posted Nov 19, 2009 14:34 UTC (Thu) by nevyn (subscriber, #33129)
RPM clears the environment before running scriplets (as I'd assume dpkg does). PackageKit doesn't allow arbitrary bits of the environment to move from it's front end (running as the user) to it's backend (running as root). But, apart from that, thanks for your insightful and informative speculation.
Posted Nov 19, 2009 15:54 UTC (Thu) by dskoll (subscriber, #1630)
Posted Nov 19, 2009 18:03 UTC (Thu) by mebrown (subscriber, #7960)
For statistics buffs out there, mean/median/mode:
The mean number of lines of installation scripting for packages installed on my F11 system: 2
The median and mode: 0
By far the most common install script: ldconfig
There are only tens of packages out there with more than a dozen lines of install scripting. (ie. easily auditable) The packaging guidelines discourage complicated install scripting.
I have not audited all the packages out there, but the thought that there are thousands of packages out there with potentially vulnerable install scripting is unfounded in reality.
Posted Nov 19, 2009 19:55 UTC (Thu) by dskoll (subscriber, #1630)
For people who are concerned about security, it makes no sense at all.
As a thought experiment, consider how the Fedora community would have reacted had Microsoft made a similar move. They'd have scoffed at its incredible lameness.
Posted Nov 19, 2009 20:36 UTC (Thu) by mebrown (subscriber, #7960)
Compare/contrast with a theoretical Microsoft action is neither analysis or valid argument. Reading this thread, I'm surprised at the amount of misinformation floating around from *lwn readers*, of all people.
People who have untrusted users can use the locked-down guest account for those users. People who fall outside of normal use case scenarios can easily just change the default to disallow this. Generally anybody who is locking their system down anyways can just add this to the list (or have this as a standard switch that gets de-activated in kiosk mode.)
Personally, after setting up several machines for people who fall under the more general fedora-targeted use-cases, this provides a much better user experience. I'd rather let my wife and mother-in-law install their own software without having to give them complete sudo/root access.
Posted Nov 19, 2009 20:45 UTC (Thu) by jgarzik (subscriber, #8364)
You must (a) be aware of the new F12 PackageKit policy and (b) remove PackageKit after upgrade to avoid this major security hole [from the PoV of a multi-user admin].
How many classrooms, laptops, workstations will even be aware of this, given that this is not mentioned in F12-gold release notes at all?
Posted Nov 19, 2009 21:19 UTC (Thu) by dskoll (subscriber, #1630)
Sure, if by "people concerned about security", you mean, "people who have kneejerk reactions with no analysis whatsoever".
*sigh*. I'm not surprised the state of computer security is such a mess. This will come back to bite Fedora, mark my words. "Improving the User Experience" is often (unfortunately) a code phrase for "Security is inconvenient, so let's reduce security."
It's a basic tenet of computer security to reduce your risk by not installing unnecessary software. That's such an obvious best-practice that I'm stunned the Fedora team can't understand the reaction this change is getting.
I'd rather let my wife and mother-in-law install their own software without having to give them complete sudo/root access.
Wow. That's completely opposite to what I do; I would never trust my wife, kids or parents to install software, let alone have any kind of sudo/root access. I manage the machines for them.
The average Windows machine has been designed for an "Improved User Experience" and lets unsophisticated users install software, etc. The average Windows machine is also a cesspool of adware, spyware, trojans and viruses. I'm not implying that the latest Fedora change is that bad, but it's certainly a step in the wrong direction.
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds