LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

People's reaction to this is just stupid.

People's reaction to this is just stupid.

Posted Nov 19, 2009 13:40 UTC (Thu) by drag (subscriber, #31333)
In reply to: People's reaction to this is just stupid. by hppnq
Parent article: Fedora 12 lets unprivileged users install packages

"""The local users discussed here are the completely random "people" who you should assume are roaming around on your system, and who can now trigger something that previously required root privileges."""

If you leave your system unlocked and let random strangers have physical access to it then you have bigger issues then packagekit.

"""Yes, this is then only one of many bad things, and not even the worst thing, that can happen to you. That's no reason to allow everyone and his dog to install software on your system."""

Only people that are logged in locally have this ability.

And it's easily configurable.

"""Yes, there are many things wrong with the superuser security model. But clearly the solution is not to bypass this model."""

Yes it is. Giving users the ability to run code with root privileges under their account is clearly undesirable and any system that allows you to avoid this is desirable.

"""At least not until you have solved the problem that package management might actually require root privileges (reboot, device configuration, etc.)"""

The goal of all of this is to make a Desktop-oriented operating system were normal user activity can be carried out in a safe and secure manner in a user-friendly manner.

Device configuration on Fedora is carried out without user intervention as much as is possible.

Rebooting can be done by a local account without invoking sudo or su and is configurable.

I don't know what 'etc' is going to cover, but I bet that Fedora also has that taken care of.

Updating and installing software is a everyday mundane event. Especially when it comes to performing system updates it's very very desirable to have this happen with as little barriers as possible. Having insecure older versions of software running on a Linux desktop when more secure newer versions are available is a serious threat to the security of the average user's system.

""" and you have solved the rather obvious security problem of running software that may not have been installed by you or someone you trust.'""

If you let unknown or untrusted people log in with your credientials on your system and/or let them have full physical and unmonitored access (all of which is necessary in Fedora 12 to install software without your knowledge) to your systems you have much bigger issues then worrying about somebody installing software that may run as root with a local root exploit.

(Log in to post comments)

People's reaction to this is just stupid.

Posted Nov 19, 2009 14:09 UTC (Thu) by ledow (guest, #11753) [Link]

"If you leave your system unlocked and let random strangers have physical access to it then you have bigger issues then packagekit."

Schools. Colleges. Universities. Cybercafes. Businesses. Yes, even home users with kids.

Local users may not have physical access to *anything* except for the keyboard and the screen, but they are still users and still have to be allowed to *touch* the computer, even if you need to keep it locked down. You can prevent them accessing the hard drive directly, or the external ports, but you can't stop them typing on a keyboard... otherwise 99% of the world's computers are damn useless.

And this "feature" gives all of them the ability to install crap. If nothing else, that's a DoS because they could just install *every* signed bit of crap in the world.

"And it's easily configurable."

And on by default. And next-to-nobody knew about it. I don't give a damn what the option is, if there's even a *REMOTE* chance it would be something I object to, I don't want it on by default without some massive announcement.

"Giving users the ability to run code with root privileges under their account is clearly undesirable and any system that allows you to avoid this is desirable."

Again, technically "nice", practically, a nightmare. And it's the default nature that's the problem, not the feature. Home user or not, it's a silly idea to allow execution of *anything* (even signed code, which will inevitably have a flaw found in it at some point... look at any videogame console "hack") as anything other than the user that executed it, especially if it's done automatically without requiring an admin password. Windows won't let you do that (at least not by design), MacOS won't let you do that, why should Fedora be any different?

"The goal of all of this is to make a Desktop-oriented operating system were normal user activity can be carried out in a safe and secure manner in a user-friendly manner."

Yep. And even MS Windows says "This installer needs to be run as an administrator" most of the time. "runas" is your friend as a Windows admin installing software for users. There's reasons for that, signed code or not.

"Updating and installing software is a everyday mundane event."

So let's not trivialise it by making people think it is somehow "special" and has to be done automatically all the time for you because you're too stupid to type in an admin password when serious changes are made. Hell... just "memorising" the admin password on the basis of an option box the first time it's needed is more "secure" than doing this silently. And, in fact, updating and installing software is, was and always has been something more than "mundane" in terms of security.

"Especially when it comes to performing system updates it's very very desirable to have this happen with as little barriers as possible."

Agreed. But even Windows (usually) refuses to let you do stupid things with updates without asking for the admin password first, or until you log in as an admin.

"Having insecure older versions of software running on a Linux desktop when more secure newer versions are available is a serious threat to the security of the average user's system."

Totally agreed. But that's no different for any other operating system. And still Windows whinges if I try to install an MSI as a non-admin user when that MSI has to do *anything* remotely fancy.

People's reaction to this is just stupid.

Posted Nov 19, 2009 14:31 UTC (Thu) by drag (subscriber, #31333) [Link]

"""Schools. Colleges. Universities. Cybercafes. Businesses. Yes, even home users with kids."""

If you let any desktop OS be used by anonymous people directly using the default configuration your a idiot. I don't care what OS your using.

This causes problems on any system, including older versions of Fedora. Debian, Ubuntu or any thing like that. Nothing with Fedora 12's packagekit default policy changes this fact.

"""Local users may not have physical access to *anything* except for the keyboard and the screen, but they are still users and still have to be allowed to *touch* the computer, even if you need to keep it locked down. You can prevent them accessing the hard drive directly, or the external ports, but you can't stop them typing on a keyboard... otherwise 99% of the world's computers are damn useless."""

Yes 'locked down'. Like 'kiosk mode', right? As in 'not default configuration'.

I am never, ever, going to take any OS and let people use it in public without taking steps to lock it down against them. This sort of thing is extremely difficult to get right in pretty much every OS.

And anyways in systems like Ubuntu (and Fedora, I believe) the default is to let people have unfettered access to root account if they just supply them the user's password. This Fedora 12 packagekit policy change is still a MASSIVE improvement over the status quo. The only people that got this right before was Debian and that was because sudo was not configured by default, but they still screw it up by requiring the use of 'su' to do mundane desktop activities.

"""And this "feature" gives all of them the ability to install crap. If nothing else, that's a DoS because they could just install *every* signed bit of crap in the world."""

They can DOS the system a hundred different ways if they have physical access, even through just a keyboard. Anyways, what is stopping them from downloading and running any piece of code on the planet and executing it from their local account?

NOTHING.

And whats more they have the ability to download and execute any program for any purpose and you have no way of knowing if it's safe or violates the security of your user account or anything like that. With packagekit you at least know that it's a signed binary.

""" "And it's easily configurable." And on by default. And next-to-nobody knew about it. I don't give a damn what the option is, if there's even a *REMOTE* chance it would be something I object to, I don't want it on by default without some massive announcement. """

Yes they should of advertised it. This was a big mistake to let this go out without a announcement. Dumb mistake.

They should of advertised it as a feature during beta, at the very least.

What I think Fedora should do now is introduce a new 'admin' password that is different and separate from your root password and your user password. This will address most of the issues people like you have brought up and still keep most of the positive benefits.

Keep in mind some facts here:
THE NUMBER ONE PROBLEM is insecure passwords in Linux desktops. People will likely make more secure passwords if they don't have to use them all the time. If you require them to use their password for all mundane events then they will very quickly ignore security notifications and all security considerations. Either they will default to using weak passwords or they will not carry out regular system updates.

Making it as easy as possible to use secure passwords and perform system updates is PRIORITY #1. If this causes problems in other areas then this is a bad side effect, but still desirable.

People's reaction to this is just stupid.

Posted Nov 19, 2009 14:50 UTC (Thu) by drag (subscriber, #31333) [Link]

Yes... Now that I think about it you should have a admin 'role' or group
that a user must belong to in order to have the default set of mundane
desktop administrative tasks.

Things like 'mount removable media', 'reboot', 'update software' and a few
other things.

Then let the initial account created during installation belong to this
role. Then users that get added later it should be a manual task to add
these 'mundane privileges' through adding them through a role.

Then the first time that a user performs a mundane privilege then it should
prompt them to if they want to make a 'desktop admin' password or not.

Something like that.

admin role/group

Posted Nov 19, 2009 18:13 UTC (Thu) by rfunk (subscriber, #4054) [Link]

Minus the last paragraph, you just discovered Ubuntu's model. Which is
derived from the older "wheel" model someone else mentioned.

admin role/group

Posted Nov 19, 2009 19:41 UTC (Thu) by drag (subscriber, #31333) [Link]

Ubuntu's model is to give unfettered access to root if you are able to supply the user's password. Which is exactly the sort of thing I want distros to avoid completely.

It's acceptable in a single user environment, which is typical, but it's completely counter productive for most other environments. You should not be required to have root access to perform mundane and routine actions.

People's reaction to this is just stupid.

Posted Nov 19, 2009 20:49 UTC (Thu) by sjm (guest, #62085) [Link]

"And anyways in systems like Ubuntu (and Fedora, I believe) the default is to let people have unfettered access to root account if they just supply them the user's password."

I think in Ubuntu this is true only of the first user created (automatically added to sudo file), but not true for other users.

People's reaction to this is just stupid.

Posted Nov 20, 2009 0:39 UTC (Fri) by drag (subscriber, #31333) [Link]

Yeah. I now think that automatically giving all local users the ability to
install signed packages is probably a bad idea.

It should only be on automatically for the first user created during
installation and then be off by default for users created after that.

People's reaction to this is just stupid.

Posted Nov 20, 2009 17:51 UTC (Fri) by ariveira (guest, #57833) [Link]

First user is added to admin group; that admin group is the
one that has access granted by sudoers.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds