LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Fedora 12 lets unprivileged users install packages

Fedora 12 lets unprivileged users install packages

Posted Nov 19, 2009 0:46 UTC (Thu) by dskoll (subscriber, #1630)
Parent article: Fedora 12 lets unprivileged users install packages

Wow. The Debian OpenSSL fiasco left many a red-faced Debian developer and user, and made me wonder about my decision to choose Debian.

Looks like the Fedora crowd now have their very own WTF, so I don't feel so bad.

(Log in to post comments)

Fedora 12 lets unprivileged users install packages

Posted Nov 19, 2009 0:59 UTC (Thu) by airlied (subscriber, #9104) [Link]

No its nothing like that, you are just trying to justify your choice and I've no idea why you felt the need to comment on that.

Fedora 12 lets unprivileged users install packages

Posted Nov 19, 2009 12:00 UTC (Thu) by dskoll (subscriber, #1630) [Link]

I felt the need to comment because this is a real WTF. It opens up all kinds of attack vectors.

For example: Many RPMs have scriptlets that run on installation or upgrade. Have any of these scripts been designed to be secure in the face of a malicious local non-root user, who can do things like manipulate the environment, etc? Of course not, because the package maintainers rightly assume that anyone installing a package has root access anyway, so they don't need to protect against the possibility of a local user gaining root access.

This move gives malicious users several thousand new, juicy targets.

Fedora 12 lets unprivileged users install packages

Posted Nov 19, 2009 14:34 UTC (Thu) by nevyn (subscriber, #33129) [Link]

> Many RPMs have scriptlets that run on installation or upgrade. Have any
> of these scripts been designed to be secure in the face of a malicious
> local non-root user, who can do things like manipulate the environment,
> etc?

RPM clears the environment before running scriplets (as I'd assume dpkg does). PackageKit doesn't allow arbitrary bits of the environment to move from it's front end (running as the user) to it's backend (running as root). But, apart from that, thanks for your insightful and informative speculation.

Fedora 12 lets unprivileged users install packages

Posted Nov 19, 2009 15:54 UTC (Thu) by dskoll (subscriber, #1630) [Link]

The fact remains that installation scripts are much less likely to have been scrutinized for security problems than the actual packages themselves. Maybe you can't play with environment settings, but being able to run thousands of (let's face it) quickly hacked-together scriptlets as root is very enticing for attackers.

Fedora 12 lets unprivileged users install packages

Posted Nov 19, 2009 18:03 UTC (Thu) by mebrown (subscriber, #7960) [Link]

For statistics buffs out there, mean/median/mode:

The mean number of lines of installation scripting for packages installed on my F11 system: 2

The median and mode: 0

By far the most common install script: ldconfig

There are only tens of packages out there with more than a dozen lines of install scripting. (ie. easily auditable) The packaging guidelines discourage complicated install scripting.

I have not audited all the packages out there, but the thought that there are thousands of packages out there with potentially vulnerable install scripting is unfounded in reality.

Fedora 12 lets unprivileged users install packages

Posted Nov 19, 2009 19:55 UTC (Thu) by dskoll (subscriber, #1630) [Link]

OK, fine. If you think it's OK to increase the attack surface from a few hundred packages you want installed on your Fedora system to every single signed package in Fedora, then I guess the change makes sense.

For people who are concerned about security, it makes no sense at all.

As a thought experiment, consider how the Fedora community would have reacted had Microsoft made a similar move. They'd have scoffed at its incredible lameness.

Fedora 12 lets unprivileged users install packages

Posted Nov 19, 2009 20:36 UTC (Thu) by mebrown (subscriber, #7960) [Link]

Sure, if by "people concerned about security", you mean, "people who have kneejerk reactions with no analysis whatsoever".

Compare/contrast with a theoretical Microsoft action is neither analysis or valid argument. Reading this thread, I'm surprised at the amount of misinformation floating around from *lwn readers*, of all people.

People who have untrusted users can use the locked-down guest account for those users. People who fall outside of normal use case scenarios can easily just change the default to disallow this. Generally anybody who is locking their system down anyways can just add this to the list (or have this as a standard switch that gets de-activated in kiosk mode.)

Personally, after setting up several machines for people who fall under the more general fedora-targeted use-cases, this provides a much better user experience. I'd rather let my wife and mother-in-law install their own software without having to give them complete sudo/root access.

Fedora 12 lets unprivileged users install packages

Posted Nov 19, 2009 20:45 UTC (Thu) by jgarzik (subscriber, #8364) [Link]

It is no theoretical argument to say that secured, multi-user workstations running F11 will upgrade into insecurity, when moving up for F12.

You must (a) be aware of the new F12 PackageKit policy and (b) remove PackageKit after upgrade to avoid this major security hole [from the PoV of a multi-user admin].

How many classrooms, laptops, workstations will even be aware of this, given that this is not mentioned in F12-gold release notes at all?

Fedora 12 lets unprivileged users install packages

Posted Nov 19, 2009 21:19 UTC (Thu) by dskoll (subscriber, #1630) [Link]

Sure, if by "people concerned about security", you mean, "people who have kneejerk reactions with no analysis whatsoever".

*sigh*. I'm not surprised the state of computer security is such a mess. This will come back to bite Fedora, mark my words. "Improving the User Experience" is often (unfortunately) a code phrase for "Security is inconvenient, so let's reduce security."

It's a basic tenet of computer security to reduce your risk by not installing unnecessary software. That's such an obvious best-practice that I'm stunned the Fedora team can't understand the reaction this change is getting.

I'd rather let my wife and mother-in-law install their own software without having to give them complete sudo/root access.

Wow. That's completely opposite to what I do; I would never trust my wife, kids or parents to install software, let alone have any kind of sudo/root access. I manage the machines for them.

The average Windows machine has been designed for an "Improved User Experience" and lets unsophisticated users install software, etc. The average Windows machine is also a cesspool of adware, spyware, trojans and viruses. I'm not implying that the latest Fedora change is that bad, but it's certainly a step in the wrong direction.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds