Fedora 12 and unprivileged package installation
Fedora 12 was released on November 17 with the usual pile of new packages and features. By the sounds, it is a solid, well-received release. But one feature—unpublicized, undocumented, and turned on by default—has a number of Fedora users up in arms, leading to a huge thread on fedora-devel, in the bugzilla entry, and here at LWN. In short, the problem was that in the Fedora 12 default installation, regular users sitting at the console could install signed packages from any repository that the administrator has enabled.
Since the release, and all of the publicity and complaints, the maintainers of PackageKit have decided to remove the feature. Out of this controversy, though, are lessons for any project regarding security, transparency, and system defaults. There were no real complaints about the existence of the feature, rather it was the choice to make it the default, coupled with a lack of any notice of the change, that led to the outcry.
Unprivileged package installation
Non-root install is a convenience feature, and one that was supported somewhat differently in earlier Fedoras. From F9 through F11, the same effect could be achieved by using PackageKit to install a package, entering the root password, and checking a box to allow that user to install in the future without needing to enter the root password. The key difference is that in F12, no root password is ever required; the checkbox has been removed and is treated as if it was turned on for all users.
PackageKit goes to some lengths to determine that the user is logged on at the physical console of the machine before allowing non-root installs. It only allows installation of packages, not update or removal, and requires that the packages are signed by a key that has been installed by root. The only repositories that are allowed to be used are those that were previously configured and enabled by a root user.
The use case is for single-user (or all trusted user) systems, where the logged-in user is likely to be the same person as the root user. Some people evidently don't like having to enter the root password, or, worse, having to track down the person with the root password, when they install software. It is part of the effort to simplify the desktop experience, with package installation being considered a "routine" task that many users would like to be able to do without the extra password-entering step. But that has serious security implications.
So, why wasn't the previous behavior just propagated into F12? It turns out that the PolicyKit feature that was used (auth_admin_keep_always) was eliminated between PolicyKit 0.9 and 1.0, because it was considered to be a security problem. Because F12 uses PolicyKit 1.0, it makes it difficult to just revert to the old behavior. Instead, PackageKit maintainer Richard Hughes has decided to change the policy such that the root password will always be required for installing packages on F12. An alternative was proposed by Kevin Kofler that may allow the earlier behavior to return without the PolicyKit support, though it is unclear whether it is being considered.
Security ramifications
It didn't take much thought for various folks to come up with security issues with the new feature. Even for the stated use case, allowing unprivileged package installation has some fairly significant implications. The idea that running on the console somehow makes a process trusted is dubious at best. Firefox is an excellent example of a program that regularly has flaws which may lead to arbitrary code execution. That means that attackers on the web may be able to install packages on F12 systems.
But the proponents of this feature insist that there is no risk to installing trusted packages from trusted repositories. There are a number of problems with that thinking, starting with the fact that there are, without question, "trusted" packages in the Fedora repositories today that have privilege escalation and other security flaws. Trusting a repository does not in any way imply trusting every package in it. Administrators may well have added other repositories to pick up a package or two as well, without considering the fact that they have now opened up their systems to all of the packages contained in that, less trusted, repository.
There is also an incident that some are conveniently forgetting. In August 2008, there was some kind of break-in to the Fedora project servers, including the system used for signing packages. There is no evidence that malicious packages were signed at that time, but it is always a possibility in the future. During the time when Fedora was figuring out what happened, and issuing new signing keys, users were warned not to update their systems. But, if console applications can be subverted to do that installation, one can easily see a path to mass compromise of Fedora systems.
Because of the way this was changed, administrators who upgraded to F12 will find that the privileges of the users on their system have suddenly been elevated. Because PackageKit and PolicyKit are relatively new additions, many administrators may be largely unaware of them and their capabilities. Eliminating PackageKit is one way to avoid the current problem, but other, seemingly unrelated packages are dependent on it; setroubleshoot for example. Because PackageKit and PolicyKit function in ways that are very different from the traditional UNIX security model, it is imperative that Fedora protect its users from unexpected security holes, at least in the default installation.
SELinux hacker James Morris has a summary of the problems that can occur, including such things as denial of service from exhausting the disk space on the system. A user could also install an SELinux policy that is weaker than that installed by the administrator, leading to an overall reduction in the security of the system. Overall, the implications of this change were not fully explored before it was added to F12.
Defense
The main defense of the PackageKit behavior seems to be that any attacker who
has physical access to the machine has many ways to subvert it. Hughes listed a
number of other actions that a normal user can do in F12, some of which
could certainly be considered security issues. Those don't make for a
valid reason for the PackageKit changes, though, as Rick L. Vinyard Jr. points
out: "Perhaps those should also be discussed and analyzed further, but that doesn't
serve as a justification for the matter at hand.
"
There are multiple scenarios where console access does not imply access to the machine. A monitor, keyboard, and mouse are all that is required for a console, not necessarily access to the power button, USB ports, CD drives, and so forth. So, it is not universally true that console access equates to physical access. In addition, various tools like VNC allow remote users to act as if they were on the console. While VNC itself is detected as a non-local console, x11vnc is not.
Normally, one would expect this kind of change to be noticed in Rawhide—Fedora's development distribution—long before the F12 release. That would have allowed the issue to be discussed and resolved well in advance of unsuspecting users upgrading into the new policy. Unfortunately, the Rawhide packages aren't signed, so PackageKit always requires the root password to install them. So the first time the Fedora community saw this change was after they had upgraded to the "real" F12.
One might also expect a change of this magnitude to appear, perhaps quite prominently, in the F12 release notes, but that was not the case at the time of the release. Since that time, a very eye-catching note was added to the security section of the release notes. That could serve as a warning for users that read, or at least skim, those notes.
The other main line of defense is that this behavior is "just" a default,
and can be changed by administrators. While that is true, the process to
do so is not obvious. It involves mucking about with PolicyKit files,
something that many Fedora users probably know little to nothing about.
Hughes thinks that
users should learn PolicyKit: "If you're deploying F12, then I really think you should know the
basics about PolicyKit.
"
But, when Seth Vidal set out to find out how to
disable the feature—documented
on his blog—asking Hughes did not lead to
the solution: "So, if our engineers don't know the basics, how should
our users?
"
Overall, Hughes's reaction to the problem has been dismissive, bordering on rude:
Based on the above, one could argue with the "trivially", but, more to the point, one must understand an existing security model before changing it. If one myopically focuses on a single use case, and ignores the problems inherent in even that case, concluding that allowing unprivileged users to do package installation might make sense. But, for overall system security—not to mention the reputation of Fedora as a distribution that keeps security in mind—myopia is not a good strategy.
Hughes often refers to the change only being made for the "desktop spin", but that doesn't really make sense as the feature was added to all of Fedora. Certainly, some spins—server, for example—could change this default, but that seems backward. The core should default to secure choices, and allow spins to relax those requirements if they so desire. As Adam Williamson points out:
Larger issues
Regardless of how they feel about the specific feature in question, Fedora
developers would like to avoid being blindsided by these kinds of changes
in the future. To that end, Chris Adams started a discussion on security policy
oversight: "Any package (whether new or an update) that adds/changes PolicyKit,
consolehelper, or PAM configuration, and anything that installs new
setuid/setgid executables, should require some additional third-party
review.
" As part of that discussion, Hughes seems to be coming around to the majority view: "At
the moment we're
asking the server spin to essentially close the door, when maybe we
should start with a closed door, and be asking the desktop spin to
open it up a little more.
"
There is concern that a package maintainer can change global behavior for the distribution without any notice. Once the change is made, that maintainer can refuse to change it back, requiring the Fedora Engineering Steering Committee (FESCo) to step in and make a decision. In the case of a security problem, one that the maintainer is unwilling to acknowledge, the delay could be a serious problem. Since the change to PackageKit still has not been released as of this writing, there are numerous systems out there that are being installed or upgraded into less security.
FESCo discussed the issue at its November 20 meeting, and Vidal will be putting together a proposal to require the maintainers of critical packages to disclose any changes that might have this kind of impact. From the discussion of Adams's call for more oversight, a need for an overall framework of what users should and should not be able to do was noted. Fedora engineering manager Tom "spot" Callaway has started gathering a list of things that unprivileged users should not be able to do that would presumably factor into such a policy.
There were also some ancillary, but still important, issues. The responses
from Hughes and David Zeuthen ("I'm
not interested in this bike-shed or what color it is
") in the thread
angered quite a few. As the discussions grew, several Fedora leaders tried
to tamp down the flames, which also didn't sit well with folks. A
suggestion to vote on the bug, rather than continue piling on to the
discussion was met with opposition as well, leading Jeff Garzik to note:
Bugzilla voting was created precisely so that users could raise the profile of a bug and register their voice, without adding actual noise to the discussion.
At one point Red Hat employees started using hidden comments in the bug to create a virtual "executive session", but folks started noticing the skipped message numbers and wondered what was going on. Williamson stepped in quickly to stop that:
The future
The Fedora project has likely learned quite a bit from this particular controversy, and it seems to be taking the right steps to avoid a repeat in the future. For a distribution that went through a great deal of pain to integrate SELinux features in order to increase the security of the system, it is mind-boggling to many that this non-root install feature was added as the default. There were multiple missteps—making it the default, not highlighting it in the release notes, not testing it in Rawhide, and so on—but those can all be corrected. Hopefully, the outcry and publicity will ensure that the word gets out, so that Fedora users will understand the issue and can make the appropriate changes for their systems.
In the meantime, though, other projects—distributions or software
packages—would be well-served by studying this episode. Security is hard,
and requires great diligence. It is likely that other projects could have
hit this same kind of problem, but, hopefully, with this incident as a guide,
will avoid doing so in the future.
| Index entries for this article | |
|---|---|
| Security | Distribution security |
Posted Nov 20, 2009 23:01 UTC (Fri)
by jamesmrh (guest, #31622)
[Link] (1 responses)
There are deployed systems where users have console access, but the only part of the system physically available is a wireless keyboard -- the rest is behind plexiglass.
Posted Nov 20, 2009 23:25 UTC (Fri)
by sladen (guest, #27402)
[Link]
Posted Nov 20, 2009 23:17 UTC (Fri)
by Frej (guest, #4165)
[Link] (19 responses)
That was quite a biased article... Sorry, but how can I be sure you presented the case fair
when
you have clear bias?
And stuff like like this is slashdot worthy:
Security is a compromise. Thus, either we have the best security in the world with no users because it's too anoying Or,
we
try to find the sweet spot for a certain set of users,
we can't please everyone.
Example: We could require entering root password every time a new website is accessed (almost
like installing a program today), but i doubt users
would accept it. It's too cumbersome.
----
Another way to solve this, is for desktop users just to install the app per user (thus requiring no
extra permissions). But we are stuck in designing
software that manages software, which is very nice for sysadmins or others who want to sysadm
their laptop ;)
Posted Nov 21, 2009 0:10 UTC (Sat)
by drag (guest, #31333)
[Link] (17 responses)
Posted Nov 21, 2009 0:15 UTC (Sat)
by drag (guest, #31333)
[Link]
I meant to say:
.. Debian is completely worthless against the default user for removable
At least media that shows up with 'floppy' group.
Posted Nov 21, 2009 8:10 UTC (Sat)
by bojan (subscriber, #14302)
[Link]
Excellent summary of the whole thing.
Posted Nov 21, 2009 9:57 UTC (Sat)
by NAR (subscriber, #1313)
[Link] (3 responses)
I think installing software is not a normal event, but an exceptional. I install software about 2-3 times per year (after the initial OS installation, when it takes some time to get every necessary software). On the other hand as far as I understand, Fedora <12 used to ask the password only once in a session, so they had a fairly good compromise between security and usability that was broken with the upgrade...
Posted Nov 21, 2009 12:16 UTC (Sat)
by tzafrir (subscriber, #11501)
[Link] (2 responses)
Is the typical Fedora "desktop" installation useful enough without adding such an extra repository?
Posted Nov 22, 2009 12:19 UTC (Sun)
by NAR (subscriber, #1313)
[Link] (1 responses)
Posted Nov 25, 2009 20:37 UTC (Wed)
by Baylink (guest, #755)
[Link]
Posted Nov 21, 2009 12:38 UTC (Sat)
by ballombe (subscriber, #9523)
[Link]
> brw-rw---- 1 root floppy 8, 16 Nov 20 17:49 /dev/sdb
It is an udev configuration problem: as configured it tries to guess what
> But after that any new user defaults to no group membership except their own, so it's not too bad. Just as long as I don't get UID 1000 on Debian then any removable media is safe from me. :)
It should be noted that the extra groups are only added to the user
Posted Nov 21, 2009 13:55 UTC (Sat)
by man_ls (guest, #15091)
[Link]
Posted Nov 21, 2009 17:03 UTC (Sat)
by amonnet (guest, #54852)
[Link] (1 responses)
I might look old fashionned, but i really enjoy the good old UNIX way to treat theses kind of permissions.
New PolicyKit, DeviceKit, IdontKnownWhatKit, with their balkanized permission configuration file, have me wanted to bang my head on a rock.
I really miss my old /etc/group, /etc/sudoers and /etc/security/group.conf when presented with a dialog box telling me i have no right to do something (and absolutely no understanding what configuration file i should change).
Posted Nov 23, 2009 1:53 UTC (Mon)
by salimma (subscriber, #34460)
[Link]
Posted Nov 22, 2009 18:05 UTC (Sun)
by nhippi (guest, #34640)
[Link]
If a admin believes ext3 makes files on usb stick safe the admin is not mistaken, the admin is stupid.
Then again, it is known for at least last 10 years that granting hardware access by the traditional UNIX user:group setup just doesn't correlate with reality. Observe the historic discussion with /dev/dsp permissions. previously we had two choices:
1) add a user to "audio" group.
..means the user can remotely eavesdrop local users.
2) grant user access (by temporarily adding to audio group or by chowning it to the user) to /dev/dsp when logging into console and remove the permissions when logging out
..means the user can open /dev/dsp when visiting console, and leave a daemon reading it and remotely eavesdrop local users.
same applies to floppies, usbsticks etc. Hopefully policykit etc will deal with it eventually.
Posted Nov 22, 2009 19:45 UTC (Sun)
by epa (subscriber, #39769)
[Link] (5 responses)
It's kind of embarassing that for many years Windows has had better security than Linux in this one area. The 'schoolboy attack' of locking the screen and bringing up a fake password dialogue is also trivial.
So I quite agree that conditioning users to type in their password (or, perhaps worse, the root password) all the time is a terribly bad idea. However, asking them to hit Ctrl-Alt-Delete and enter their password into a secure authentication screen will piss them off, and perhaps also condition them to ignore the boring message and just authorize the action every time, but at least it does not have the problem of keyloggers or trojan websites which pop up 'enter your password' dialogues.
Non-technical users, who (demonstrably) cannot distinguish between genuine password prompts and bogus ones from malware, can at least be told to always hit Ctrl-Alt-Del before entering their password. It may not be enough, but at least it's something.
(For remote access, a remote secure attention sequence is also possible; for example many Windows remote desktop clients have a 'send Ctrl-Alt-Del' menu option, which again cannot be intercepted by ordinary applications.)
Posted Nov 23, 2009 15:58 UTC (Mon)
by drag (guest, #31333)
[Link] (1 responses)
Posted Nov 23, 2009 18:35 UTC (Mon)
by madscientist (subscriber, #16861)
[Link]
Posted Nov 23, 2009 19:31 UTC (Mon)
by cmccabe (guest, #60281)
[Link]
That's a very good point. It's important to have a secure login path. This is an especially important issue in a shared computer lab, where people can log into any machine they like.
It would be nice if gnome or KDE could be configured to request an "uninterceptable" keystroke combination before allowing you to log in through gdm or xdm. I don't know enough about X input handling to know how feasible this would be.
C.
Posted Nov 25, 2009 23:59 UTC (Wed)
by jmorris42 (guest, #2203)
[Link] (1 responses)
Fire up an xterm (a real one) and observe the first option on the menu if you press CTRL-F1 is Secure Keyboard. It is intended to be used for exactly the sort of thing you mention. X had thought of security and built it in long before NT 3.1 'invented' it, the GNOME/KDE kids simply forgot about that sort of thing along with most of the other good parts of X.
Seems to be a pattern with modern graphical free software development to repeat all of Microsoft's security mistakes and for the same reason. The mad rush to bring about 'the Year of Linux on the Desktop' is producing the exact same marketing based security policies that we have laughed our butts off over when Microsoft originally made em. But apparently we learned nothing.
Posted Nov 26, 2009 17:40 UTC (Thu)
by mjg59 (subscriber, #23239)
[Link]
(Heck. The attacker could ignore X altogether and just thunk read and write in xterm and read everything going over the pty. You'd end up with a secure channel between the server and the xterm, which would win you absolutely nothing overall)
Posted Dec 1, 2009 1:23 UTC (Tue)
by louie (guest, #3285)
[Link]
That was quite a biased article... Sorry, but how can I be sure you presented the case fair when you have clear bias?
I'd just like to ditto this. I have subscribed to LWN for years because it makes an attempt to really understand all sides of an issue before taking an editorial stance, and so I trust Jon's judgment. This article shows no such nuance or balance, which is a shame and not what I expect from LWN.
Posted Nov 20, 2009 23:49 UTC (Fri)
by k8to (guest, #15413)
[Link] (3 responses)
We now have a lot of new complexity. SELinux, PolicyKit, dbus, PackageKit. Linux, at least the Red Hat flavor, is getting harder to inspect, and harder to understand. This is not a path to long term success.
Posted Nov 21, 2009 10:28 UTC (Sat)
by luya (subscriber, #50741)
[Link] (2 responses)
Because that front-end is gone on Fedora 12 I have to relearn the policy setting from terminal (or using text-editor). The good thing about PolicyKit (Polkittool) is the ease of use and human readability.
Selinux has tremendously evolved. it is very easy to submit bug report so policy can be updated as soon as possible.
Packagekit is not hard at all although it does not have yumex complex functionality. However the ability to detect missing codec, fonts and the fact it is backend independent (yum, apt-deb, smart, conakry) cannot be overlooked. Because of my design field, I mostly use it for simple update and use yum for advanced function.
I think the biggest problem in this community is the fear of change and inertia for some traditional users. Let not forget Fedora is all about cutter technologies.
Posted Nov 21, 2009 17:34 UTC (Sat)
by k8to (guest, #15413)
[Link] (1 responses)
If you can't be sure of exactly what they're doing, then you aren't creating security, you're creating false comfort.
Posted Nov 21, 2009 19:57 UTC (Sat)
by luya (subscriber, #50741)
[Link]
Posted Nov 21, 2009 1:34 UTC (Sat)
by JoeBuck (subscriber, #2330)
[Link]
Posted Nov 21, 2009 3:55 UTC (Sat)
by AdamW (subscriber, #48457)
[Link] (7 responses)
One: "The responses from Hughes and David Zeuthen ("I'm not interested in this bike-shed or what color it is") in the thread angered quite a few."
It's perfectly sensible for David to say that, because this issue had absolutely nothing to do with David. David is the maintainer of PolicyKit. PolicyKit is a framework for defining policies. It does not, in itself, define any policies. Deciding what the authentication policies should be is not PolicyKit's job, and PolicyKit doesn't do it. So why should David care? His code doesn't set the policy, he was not involved in deciding the policy, and it's not his job to decide the policy.
Two: "Williamson stepped in quickly to stop that:"
Ah, you flatter me. ;) I don't have the power to stop anything. All I can do is express an opinion, based on the declared Fedora policies. I don't have any authority over anyone who posted a private comment in the bug. (I just barely outrank the laboratory mice around here...)
Three: comment from JoeBuck - "It seems clear that there isn't anyone on the PolicyKit team who does what Bruce Schneier (among others) regularly urges: you need someone on your team who can think like a black hat."
Joe, read point one above. PolicyKit is simply a framework. It doesn't define any policies. PolicyKit does absolutely nothing unless applications choose to use it for privilege escalation, rather than using su or sudo or consolehelper or whatever. And it's the _apps_ that define the policies. This policy was defined in PackageKit, not PolicyKit.
Posted Nov 21, 2009 5:30 UTC (Sat)
by JoeBuck (subscriber, #2330)
[Link] (3 responses)
Posted Nov 21, 2009 12:11 UTC (Sat)
by hppnq (guest, #14462)
[Link]
Posted Nov 21, 2009 16:34 UTC (Sat)
by AdamW (subscriber, #48457)
[Link] (1 responses)
Posted Nov 21, 2009 19:06 UTC (Sat)
by PO8 (guest, #41661)
[Link]
Wha? Nobody is asking you to have a security expert working on "every application". They're asking you to have a security expert working on the applications which control your security policy. Especially when those applications are new and present unique challenges. Any distro that can't afford that should stick with the tried-and-true UNIX security model and its implementation rather than trying to innovate in the security policy arena.
Posted Nov 21, 2009 19:50 UTC (Sat)
by MarkWilliamson (guest, #30166)
[Link] (2 responses)
Posted Nov 22, 2009 18:30 UTC (Sun)
by mattdm (subscriber, #18)
[Link] (1 responses)
Posted Nov 22, 2009 22:39 UTC (Sun)
by dark (guest, #8483)
[Link]
Posted Nov 21, 2009 7:47 UTC (Sat)
by NAR (subscriber, #1313)
[Link] (1 responses)
So the root cause of the problem is that a feature used by many was considered to be a security problem, then they introduced a new feature which is considered by many as a severe security problem?
Posted Nov 21, 2009 17:36 UTC (Sat)
by k8to (guest, #15413)
[Link]
Posted Nov 22, 2009 1:03 UTC (Sun)
by kragil (guest, #34373)
[Link]
BTW can this convenience feature be enabled in Ubuntu?
Posted Nov 23, 2009 1:13 UTC (Mon)
by pspinler (subscriber, #2922)
[Link] (3 responses)
Instead of inventing something completely different, could some existing framework like Opensolaris / Solaris 10's RBAC (http://www.softpanorama.org/Solaris/Security/solaris_rbac...) be used?
It'd have the advantage of already being in production several years, having a open source reference implementation in Opensolaris (although it'd have to be reimplemented due to license incompatibility) already having an LDAP schema for central administration, and already having a set of people knowledgeable about it.
-- Pat
Posted Nov 23, 2009 7:28 UTC (Mon)
by hppnq (guest, #14462)
[Link]
Posted Nov 23, 2009 8:58 UTC (Mon)
by luya (subscriber, #50741)
[Link]
Posted Nov 23, 2009 17:01 UTC (Mon)
by clugstj (subscriber, #4020)
[Link]
Posted Nov 25, 2009 20:34 UTC (Wed)
by Baylink (guest, #755)
[Link]
If that's how Fedora runs, then I'm glad I'm a SuSE patriot. I feel vindicated in that choice.
*My* first distribution was Tandy Xenix 1.3 and SCO Xenix 2.2.1. How long has Hughes been doing this?
Posted Nov 25, 2009 20:38 UTC (Wed)
by miguelzinho (guest, #40535)
[Link]
Posted Nov 25, 2009 23:01 UTC (Wed)
by Tara_Li (guest, #26706)
[Link]
You end up with three kinds of people:
1) The people who have their own computer, with root access, and can install anything they like.
2) The people who's computer is managed by someone else, and they can install nothing.
3) A few people who can think well enough to install binary tarballs, or if the appropriate toolchain is installed on their computer, they can actually compile from source code.
It certainly simplifies things for the package maintainers - they don't have to bother looking to see if root is installing the package, and therefore everyone can use the program, or if a user is installing the package, in which case the files should be stored in *THEIR* home directory, and the program is not available to everyone else.
Of course, how many admins actually want to give their users access to something like a compiler! That's just asking for them to be able to use their computers in ways the admin doesn't want them to.
Posted Dec 1, 2009 13:38 UTC (Tue)
by simlo (guest, #10866)
[Link] (4 responses)
Otherwise, / should be uid dependent and therefore each user could see his own version of the installed software base without affecting the other users or the system. I think I read somewhere, that Plan9 can do just this. Can namespaces in Linux be used for this?
Posted Dec 3, 2009 23:26 UTC (Thu)
by nix (subscriber, #2304)
[Link]
Posted Dec 5, 2009 23:23 UTC (Sat)
by kasperd (guest, #11842)
[Link] (2 responses)
The entire hierarchy under /var/usr should be writable only by some system user, installing packages should be done by a program that is suid to that user.
If two users installs the same package, then the files can be hardlinked into both users' directories. The program to perform the install can also manage some sort of quotas.
Obviously it should not be possible to install any suid or sgid executables or any device inodes. Running the install as a non-root user guarantees part of that.
There is a problem with how programs find their files. They would either need to be modified to use the USER environment variable, or you would need a symlink somewhere that magically points to /var/usr/$USER and then use paths through that. (There are already symlinks in /proc that magically changes depending on which process access them, so adding another magical symlink doesn't seem too far fetched). Of course it may still be problematic that an rpm can either be installed in the normal location by root or a different location by somebody else. Could be worked around by building two versions of each rpm.
The only reason I suggest a directory name depending on the user is, that one user installing a program shouldn't cause that program to show up in another user's path. Each user would have /var/usr/$USER/bin in their path, and only see programs they want to see there.
If some files are accessed by a path that is determined at compile time, maybe those should be put into a common directory instead. That would avoid most of the user dependent path requirements. Say user1 installs app with a binary named app and a library named libapp.so.1, then each file of the two files could be hardlinked in two locations.
/var/usr/user1/bin/app
And user1 would access /var/usr/user1/bin/app from the path which would then use /var/usr/common/lib/libapp.so.1. The common directories shouldn't be in any path, but if you want to specify the absolute path to for example an executable you would use the one in /var/usr/common/bin/app.
I may have missed some details that would need to be figured out, but I'm pretty sure it can be made to work within the normal unix security model, if anybody wants to do the work.
Posted Dec 6, 2009 1:52 UTC (Sun)
by nix (subscriber, #2304)
[Link] (1 responses)
(Most of the rest of your post is talking about problems that GNU stow and
Posted Jul 15, 2011 17:20 UTC (Fri)
by fuhchee (guest, #40059)
[Link]
It came back a few months later.
Console access != physical access
Two sides to every coin
Fedora 12 and unprivileged package installation
For a distribution that went through a great deal of pain to integrate SELinux
features in
order to increase the security of the system, it is mind-
boggling to many that this non-root install feature was added as the default
I wouldn't call it "slashdot worthy". That's just mean. He's smart and does
a good job expressing his editorial opinion. :)
Fedora 12 and unprivileged package installation
But it was wrong to have it as the default for all local users and it was
wrong for them to do this without being more vocal about it. This is not
_huge_ fuck-ups, but it's something that in 20-20 hindsight is something
fairly obvious and they should learn from that.
But security is a very difficult thing, right?
Prompting people for their own passwords for normal events conditions them
to use weak passwords. They have already proven their identity by being
able to log into the system in the first place. Asking them again is just
redundant. It's like forcing people to use their house key in order to
access the bathroom. Prompting people for root passwords just means that
they will use weak root passwords and will condition them to accept typing
in root password as a normal event.
In addition to that it does not provide any real additional security. If a
attacker has subverted your system or you do not trust the software your
running in your home environment then additional passwords provide no real
additional benefit.
It's trivial to install a keylogger. Especially with 'xrecord' extension
that is built-in everybody's X server. If it was not for the fact that it
is broken in newer versions of Xorg's X server I could right a 30-line
python program (in addition to python-xlib) that would capture every
keystroke you type in and save it to a file or send it over the network. It
does not require any root rights or any privileges beyond access to your
user's account. It is probably very likely that it's still quite easy for
people to do keystroke loggers even with a broken Xrecord. There are a
dozen different programs that are designed specifically to do that for
doing automation or training or scripting or whatever. Like 'Xnee' (which
uses xrecord).
And people ignore pop-ups. After I've seen the same pop up 2-3 times I will
ignore it or (accidentally) ignore anything that looks almost exactly like
that. It's human nature. So that is not the answer either, except when a
event is rare.
"""Another way to solve this, is for desktop users just to install the app
per user (thus requiring no extra permissions). But we are stuck in
designing software that manages software, which is very nice for sysadmins
or others who want to sysadm their laptop ;)"""
They can already do that.
I used to regularly install video games and proprietary software and
similar things to my ~/Apps directory. I started doing that since I noticed
that most video games (like ID Quake3) tended to use really shitty file
system permissions. Fixing damage typical games and proprietary software
did to my directory tree was always a pain, so I always tried to avoid
giving them root access when ever possible. (I fixed this by avoiding using
proprietary now whenever possible). There is even a entire ~/.local/
directory for most Linux users you can install things to that most people
have never noticed.
Sure you can run 'ldconfig' and add library paths, but that's easy enough
to work around with simple shell scripts that you use to launch
applications.
Hell, you can run entire operating systems if you want entirely from your
home directory using Qemu (or KVM if you have that configured correctly).
This has some interesting security issues. For example:
My user cannot mount file systems on their own, not without using 'su' or
'sudo' to elevate privileges. They can use policykit to mount things, but
whatever. Lets see what happens when I plug in a USB drive into my system:
$ ls -l /dev/sdb
brw-rw---- 1 root floppy 8, 16 Nov 20 17:49 /dev/sdb
Notice something interesting? Lets look at the defaults for my user:
drag@debian-router:~$ groups
drag dialout cdrom floppy audio video plugdev
Why does Debian do that? I have no freaking clue. It's not a terribly good
idea. Especially since the the HAL/Devicekit stuff works so well so there
should be no need for that. But they still do that, tradition I suppose.
Now I can go and edit those things, but that will likely corrupt the FS and
be difficult. But if I go:
qemu -hda drive-image -hdc /dev/sdb
Then I can mount any file system I like on that drive with or without my
admin's approval. If he believed that by plugging in a USB drive that
contains important files and by formatting the volume Ext3 and setting up
file system permissions he could keep me from reading or writing to certain
files then he would be sorely mistaken. So now it's obvious that any sort
of file system level restrictions in Debian is completely worthless against
the default user.
But after that any new user defaults to no group membership except their
own, so it's not too bad. Just as long as I don't get UID 1000 on Debian
then any removable media is safe from me. :)
Fedora 12 and unprivileged package installation
media ...
Fedora 12 and unprivileged package installation
Prompting people for their own passwords for normal events conditions them to use weak passwords.
Fedora 12 and unprivileged package installation
Fedora 12 and unprivileged package installation
Fedora 12 and unprivileged package installation
Fedora 12 and unprivileged package installation
Fedora 12 and unprivileged package installation
the device is to add it to the relevant group and sometimes it makes wrong guess (e.g. a scanner was marked as a floppy).
created during the installation process. The assumption is whoever install the machine is the admin. Further more since you are also in plugdev, you can mount filesystems anyway.
Nasty coverup
But it was wrong to have it as the default for all local users and it was wrong for them to do this without being more vocal about it.
Judging just from the article, the biggest mistake was not to silently make the change, but to disregard the opinions of their own users. And it doesn't look like there was a clear use case for installing software as non-root, just that they didn't want to admit their mistake. Not very professional, and something that on my own distribution would make me wary of all design decisions I am not aware of.
Fedora 12 and unprivileged package installation
Fedora 12 and unprivileged package installation
Fedora 12 and unprivileged package installation
Then I can mount any file system I like on that drive with or without my admin's approval. If he believed that by plugging in a USB drive that contains important files and by formatting the volume Ext3 and setting up file system permissions he could keep me from reading or writing to certain files then he would be sorely mistaken.
Secure keyboard input
It's trivial to install a keylogger.
Which is why Linux desktops really need a secure attention sequence such as the Ctrl-Alt-Delete used by Windows (and before that, VMS). No application may trap that keystroke, and it leads you to a screen with only the password entry dialogue and (as far as I know) no communication with other parts of the desktop.
If Linux can figure out a way to lock down things inside of a user account
then that would benefit everybody massively.
Secure keyboard input
If you think about it (which you probably already understand completely, I
am just talking about in a more general sense), right now all your most
important and sensitive
information is stored in your /home/$USERNAME directory. Especially for a
single user
system, which 70% of desktops apparently are, then getting root is not
necessary at all for a attacker to have the most damage to that user.
Root is only necessary for the attacker to go unnoticed. If they want to
establish a rootkit or run some sort of secret network service then they'll
need root. If they just want to steel your credit card information, gain
access to your online accounts, or anything like that then root is
unnecessary.
Secure keyboard input
Secure keyboard input
> such as the Ctrl-Alt-Delete used by Windows (and before that, VMS).
> No application may trap that keystroke, and it leads you to a screen
> with only the password entry dialogue and (as far as I know) no
> communication with other parts of the desktop.
Secure keyboard input
Secure keyboard input
tone of the article
Fedora 12 and unprivileged package installation
Fedora 12 and unprivileged package installation
Fedora 12 and unprivileged package installation
Fedora 12 and unprivileged package installation
It seems clear that there isn't anyone on the PolicyKit team who does what Bruce Schneier (among others) regularly urges: you need someone on your team who can think like a black hat. Given a proposed policy decision, what new attack vectors can it open up? Clearly there are SELinux folks who can think this way, but it doesn't seem that there's enough communication going on.
Security implications need to be thought through better
Fedora 12 and unprivileged package installation
OK, I apologize to the PolicyKit people; it is the PackageKit team that needs someone who can think like a black hat.
Fedora 12 and unprivileged package installation
In general, I would say it is all
of them.
Fedora 12 and unprivileged package installation
Fedora 12 and unprivileged package installation
Security policy expertise
Fedora 12 and unprivileged package installation
not a very diplomatic way of phrasing things ;-)
Fedora 12 and unprivileged package installation
When the city council announces plans to demolish the local parks and playgrounds in order to construct bike sheds, the people who jump in with opinions are not just bikeshedding.
Fedora 12 and unprivileged package installation
It turns out that the PolicyKit feature that was used (auth_admin_keep_always) was eliminated between PolicyKit 0.9 and 1.0, because it was considered to be a security problem.
A removed feature
A removed feature
Fedora 12 and unprivileged package installation
Fedora 12 and unprivileged package installation
We have had grsecurity for years. Quite popular, but developed outside of the kernel.
Fedora 12 and unprivileged package installation
Fedora 12 and unprivileged package installation
Fedora 12 and unprivileged package installation
Fedora 12 and unprivileged package installation
Fedora 12 and unprivileged package installation
Fedora 12 and unprivileged package installation
Fedora 12 and unprivileged package installation
Fedora 12 and unprivileged package installation
private copy of / has security implications: many many programs assume
that things in /etc aren't modifiable except by privileged users (trivial
example: /etc/passwd, /etc/shadow).
Fedora 12 and unprivileged package installation
/var/usr/user1/lib/libapp.so.1
/var/usr/common/bin/app
/var/usr/common/lib/libapp.so.1
Fedora 12 and unprivileged package installation
is bind-mounted by pam_mount into a per-user private mount, maybe /usr/usr
(ew, maybe somewhere else) and *that* is what is referenced in PATHs.
graft and other similar systems have long considered and solved. Suffice
to say that systems built from symlink farms are quite practical. Hell,
systems built from symlink farms *at runtime*, so users can have per-user
and even per-session package selection are practical, although the farm
construction might take a second or two. I've implemented a couple of
systems like that myself...)
Fedora 12 and unprivileged package installation
https://bugzilla.redhat.com/show_bug.cgi?id=568074