Weekly Edition
Return to the Front page
| |||||||||||||
Fedora 12 and unprivileged package installationFedora 12 was released on November 17 with the usual pile of new packages and features. By the sounds, it is a solid, well-received release. But one feature—unpublicized, undocumented, and turned on by default—has a number of Fedora users up in arms, leading to a huge thread on fedora-devel, in the bugzilla entry, and here at LWN. In short, the problem was that in the Fedora 12 default installation, regular users sitting at the console could install signed packages from any repository that the administrator has enabled. Since the release, and all of the publicity and complaints, the maintainers of PackageKit have decided to remove the feature. Out of this controversy, though, are lessons for any project regarding security, transparency, and system defaults. There were no real complaints about the existence of the feature, rather it was the choice to make it the default, coupled with a lack of any notice of the change, that led to the outcry. Unprivileged package installationNon-root install is a convenience feature, and one that was supported somewhat differently in earlier Fedoras. From F9 through F11, the same effect could be achieved by using PackageKit to install a package, entering the root password, and checking a box to allow that user to install in the future without needing to enter the root password. The key difference is that in F12, no root password is ever required; the checkbox has been removed and is treated as if it was turned on for all users. PackageKit goes to some lengths to determine that the user is logged on at the physical console of the machine before allowing non-root installs. It only allows installation of packages, not update or removal, and requires that the packages are signed by a key that has been installed by root. The only repositories that are allowed to be used are those that were previously configured and enabled by a root user. The use case is for single-user (or all trusted user) systems, where the logged-in user is likely to be the same person as the root user. Some people evidently don't like having to enter the root password, or, worse, having to track down the person with the root password, when they install software. It is part of the effort to simplify the desktop experience, with package installation being considered a "routine" task that many users would like to be able to do without the extra password-entering step. But that has serious security implications. So, why wasn't the previous behavior just propagated into F12? It turns out that the PolicyKit feature that was used (auth_admin_keep_always) was eliminated between PolicyKit 0.9 and 1.0, because it was considered to be a security problem. Because F12 uses PolicyKit 1.0, it makes it difficult to just revert to the old behavior. Instead, PackageKit maintainer Richard Hughes has decided to change the policy such that the root password will always be required for installing packages on F12. An alternative was proposed by Kevin Kofler that may allow the earlier behavior to return without the PolicyKit support, though it is unclear whether it is being considered. Security ramificationsIt didn't take much thought for various folks to come up with security issues with the new feature. Even for the stated use case, allowing unprivileged package installation has some fairly significant implications. The idea that running on the console somehow makes a process trusted is dubious at best. Firefox is an excellent example of a program that regularly has flaws which may lead to arbitrary code execution. That means that attackers on the web may be able to install packages on F12 systems. But the proponents of this feature insist that there is no risk to installing trusted packages from trusted repositories. There are a number of problems with that thinking, starting with the fact that there are, without question, "trusted" packages in the Fedora repositories today that have privilege escalation and other security flaws. Trusting a repository does not in any way imply trusting every package in it. Administrators may well have added other repositories to pick up a package or two as well, without considering the fact that they have now opened up their systems to all of the packages contained in that, less trusted, repository. There is also an incident that some are conveniently forgetting. In August 2008, there was some kind of break-in to the Fedora project servers, including the system used for signing packages. There is no evidence that malicious packages were signed at that time, but it is always a possibility in the future. During the time when Fedora was figuring out what happened, and issuing new signing keys, users were warned not to update their systems. But, if console applications can be subverted to do that installation, one can easily see a path to mass compromise of Fedora systems. Because of the way this was changed, administrators who upgraded to F12 will find that the privileges of the users on their system have suddenly been elevated. Because PackageKit and PolicyKit are relatively new additions, many administrators may be largely unaware of them and their capabilities. Eliminating PackageKit is one way to avoid the current problem, but other, seemingly unrelated packages are dependent on it; setroubleshoot for example. Because PackageKit and PolicyKit function in ways that are very different from the traditional UNIX security model, it is imperative that Fedora protect its users from unexpected security holes, at least in the default installation. SELinux hacker James Morris has a summary of the problems that can occur, including such things as denial of service from exhausting the disk space on the system. A user could also install an SELinux policy that is weaker than that installed by the administrator, leading to an overall reduction in the security of the system. Overall, the implications of this change were not fully explored before it was added to F12. DefenseThe main defense of the PackageKit behavior seems to be that any attacker who has physical access to the machine has many ways to subvert it. Hughes listed a number of other actions that a normal user can do in F12, some of which could certainly be considered security issues. Those don't make for a valid reason for the PackageKit changes, though, as Rick L. Vinyard Jr. points out: "Perhaps those should also be discussed and analyzed further, but that doesn't serve as a justification for the matter at hand." There are multiple scenarios where console access does not imply access to the machine. A monitor, keyboard, and mouse are all that is required for a console, not necessarily access to the power button, USB ports, CD drives, and so forth. So, it is not universally true that console access equates to physical access. In addition, various tools like VNC allow remote users to act as if they were on the console. While VNC itself is detected as a non-local console, x11vnc is not. Normally, one would expect this kind of change to be noticed in Rawhide—Fedora's development distribution—long before the F12 release. That would have allowed the issue to be discussed and resolved well in advance of unsuspecting users upgrading into the new policy. Unfortunately, the Rawhide packages aren't signed, so PackageKit always requires the root password to install them. So the first time the Fedora community saw this change was after they had upgraded to the "real" F12. One might also expect a change of this magnitude to appear, perhaps quite prominently, in the F12 release notes, but that was not the case at the time of the release. Since that time, a very eye-catching note was added to the security section of the release notes. That could serve as a warning for users that read, or at least skim, those notes. The other main line of defense is that this behavior is "just" a default, and can be changed by administrators. While that is true, the process to do so is not obvious. It involves mucking about with PolicyKit files, something that many Fedora users probably know little to nothing about. Hughes thinks that users should learn PolicyKit: "If you're deploying F12, then I really think you should know the basics about PolicyKit." But, when Seth Vidal set out to find out how to disable the feature—documented on his blog—asking Hughes did not lead to the solution: "So, if our engineers don't know the basics, how should our users?" Overall, Hughes's reaction to the problem has been dismissive, bordering on rude:
I don't particularly care how UNIX has always worked. Looking at the use-cases
and the things people are trying to do this seemed the best default. Admins can
trivially change the default on machines if they wish.
Based on the above, one could argue with the "trivially", but, more to the point, one must understand an existing security model before changing it. If one myopically focuses on a single use case, and ignores the problems inherent in even that case, concluding that allowing unprivileged users to do package installation might make sense. But, for overall system security—not to mention the reputation of Fedora as a distribution that keeps security in mind—myopia is not a good strategy. Hughes often refers to the change only being made for the "desktop spin", but that doesn't really make sense as the feature was added to all of Fedora. Certainly, some spins—server, for example—could change this default, but that seems backward. The core should default to secure choices, and allow spins to relax those requirements if they so desire. As Adam Williamson points out:
[...] the general perception of 'the desktop spin' is not 'the
desktop spin'. The general perception, helped by how our download page
set up, is that 'the desktop spin' is Fedora, or at least the three
methods mentioned above - desktop spin, DVD, network install - are
Fedora. Most people who are not quite active Fedora project members, and
probably even a lot of those, see the desktop spin as 'default Fedora',
not as a special-interest spin like the KDE or XFCE spins.
Larger issuesRegardless of how they feel about the specific feature in question, Fedora developers would like to avoid being blindsided by these kinds of changes in the future. To that end, Chris Adams started a discussion on security policy oversight: "Any package (whether new or an update) that adds/changes PolicyKit, consolehelper, or PAM configuration, and anything that installs new setuid/setgid executables, should require some additional third-party review." As part of that discussion, Hughes seems to be coming around to the majority view: "At the moment we're asking the server spin to essentially close the door, when maybe we should start with a closed door, and be asking the desktop spin to open it up a little more." There is concern that a package maintainer can change global behavior for the distribution without any notice. Once the change is made, that maintainer can refuse to change it back, requiring the Fedora Engineering Steering Committee (FESCo) to step in and make a decision. In the case of a security problem, one that the maintainer is unwilling to acknowledge, the delay could be a serious problem. Since the change to PackageKit still has not been released as of this writing, there are numerous systems out there that are being installed or upgraded into less security. FESCo discussed the issue at its November 20 meeting, and Vidal will be putting together a proposal to require the maintainers of critical packages to disclose any changes that might have this kind of impact. From the discussion of Adams's call for more oversight, a need for an overall framework of what users should and should not be able to do was noted. Fedora engineering manager Tom "spot" Callaway has started gathering a list of things that unprivileged users should not be able to do that would presumably factor into such a policy. There were also some ancillary, but still important, issues. The responses from Hughes and David Zeuthen ("I'm not interested in this bike-shed or what color it is") in the thread angered quite a few. As the discussions grew, several Fedora leaders tried to tamp down the flames, which also didn't sit well with folks. A suggestion to vote on the bug, rather than continue piling on to the discussion was met with opposition as well, leading Jeff Garzik to note:
[...] it makes ZERO sense to
squelch Fedora users' feedback. Fedora leaders are saying "no feedback
on fedora-devel" and "no feedback on the bugzilla", and now, no Bugzilla
voting.
Bugzilla voting was created precisely so that users could raise the profile of a bug and register their voice, without adding actual noise to the discussion. At one point Red Hat employees started using hidden comments in the bug to create a virtual "executive session", but folks started noticing the skipped message numbers and wondered what was going on. Williamson stepped in quickly to stop that:
i'm uncomfortable with the abuse of the private comment
feature (not just here, but it's particularly bad in this bug) as a way to
introduce a parallel discussion that's effectively limited to an informal RH
cabal. this is the Fedora project, there is no room for that. comments should
only be made private when they introduce or discuss not-currently-public
security concerns, which is not the case for any of the private comments on
this bug.
The futureThe Fedora project has likely learned quite a bit from this particular controversy, and it seems to be taking the right steps to avoid a repeat in the future. For a distribution that went through a great deal of pain to integrate SELinux features in order to increase the security of the system, it is mind-boggling to many that this non-root install feature was added as the default. There were multiple missteps—making it the default, not highlighting it in the release notes, not testing it in Rawhide, and so on—but those can all be corrected. Hopefully, the outcry and publicity will ensure that the word gets out, so that Fedora users will understand the issue and can make the appropriate changes for their systems. In the meantime, though, other projects—distributions or software packages—would be well-served by studying this episode. Security is hard, and requires great diligence. It is likely that other projects could have hit this same kind of problem, but, hopefully, with this incident as a guide, will avoid doing so in the future. (Log in to post comments)
Console access != physical access Posted Nov 20, 2009 23:01 UTC (Fri) by jamesmrh (guest, #31622) [Link]
Thanks for pointing this out, too.
There are deployed systems where users have console access, but the only part of the system physically available is a wireless keyboard -- the rest is behind plexiglass.
Two sides to every coin Posted Nov 20, 2009 23:25 UTC (Fri) by sladen (subscriber, #27402) [Link]
Look on the bright side—anyone can come along and install the signed update that fixes it!
Fedora 12 and unprivileged package installation Posted Nov 20, 2009 23:17 UTC (Fri) by Frej (subscriber, #4165) [Link] That was quite a biased article... Sorry, but how can I be sure you presented the case fair when you have clear bias? And stuff like like this is slashdot worthy: For a distribution that went through a great deal of pain to integrate SELinux features in order to increase the security of the system, it is mind- boggling to many that this non-root install feature was added as the default Security is a compromise. Thus, either we have the best security in the world with no users because it's too anoying Or, we try to find the sweet spot for a certain set of users, we can't please everyone. Example: We could require entering root password every time a new website is accessed (almost like installing a program today), but i doubt users would accept it. It's too cumbersome. ---- Another way to solve this, is for desktop users just to install the app per user (thus requiring no extra permissions). But we are stuck in designing software that manages software, which is very nice for sysadmins or others who want to sysadm their laptop ;)
Fedora 12 and unprivileged package installation Posted Nov 21, 2009 0:10 UTC (Sat) by drag (subscriber, #31333) [Link] I wouldn't call it "slashdot worthy". That's just mean. He's smart and does a good job expressing his editorial opinion. :)But it was wrong to have it as the default for all local users and it was wrong for them to do this without being more vocal about it. This is not _huge_ fuck-ups, but it's something that in 20-20 hindsight is something fairly obvious and they should learn from that. But security is a very difficult thing, right? Prompting people for their own passwords for normal events conditions them to use weak passwords. They have already proven their identity by being able to log into the system in the first place. Asking them again is just redundant. It's like forcing people to use their house key in order to access the bathroom. Prompting people for root passwords just means that they will use weak root passwords and will condition them to accept typing in root password as a normal event. In addition to that it does not provide any real additional security. If a attacker has subverted your system or you do not trust the software your running in your home environment then additional passwords provide no real additional benefit. It's trivial to install a keylogger. Especially with 'xrecord' extension that is built-in everybody's X server. If it was not for the fact that it is broken in newer versions of Xorg's X server I could right a 30-line python program (in addition to python-xlib) that would capture every keystroke you type in and save it to a file or send it over the network. It does not require any root rights or any privileges beyond access to your user's account. It is probably very likely that it's still quite easy for people to do keystroke loggers even with a broken Xrecord. There are a dozen different programs that are designed specifically to do that for doing automation or training or scripting or whatever. Like 'Xnee' (which uses xrecord). And people ignore pop-ups. After I've seen the same pop up 2-3 times I will ignore it or (accidentally) ignore anything that looks almost exactly like that. It's human nature. So that is not the answer either, except when a event is rare. """Another way to solve this, is for desktop users just to install the app per user (thus requiring no extra permissions). But we are stuck in designing software that manages software, which is very nice for sysadmins or others who want to sysadm their laptop ;)""" They can already do that. I used to regularly install video games and proprietary software and similar things to my ~/Apps directory. I started doing that since I noticed that most video games (like ID Quake3) tended to use really shitty file system permissions. Fixing damage typical games and proprietary software did to my directory tree was always a pain, so I always tried to avoid giving them root access when ever possible. (I fixed this by avoiding using proprietary now whenever possible). There is even a entire ~/.local/ directory for most Linux users you can install things to that most people have never noticed. Sure you can run 'ldconfig' and add library paths, but that's easy enough to work around with simple shell scripts that you use to launch applications. Hell, you can run entire operating systems if you want entirely from your home directory using Qemu (or KVM if you have that configured correctly). This has some interesting security issues. For example: My user cannot mount file systems on their own, not without using 'su' or 'sudo' to elevate privileges. They can use policykit to mount things, but whatever. Lets see what happens when I plug in a USB drive into my system: $ ls -l /dev/sdb brw-rw---- 1 root floppy 8, 16 Nov 20 17:49 /dev/sdb Notice something interesting? Lets look at the defaults for my user: drag@debian-router:~$ groups drag dialout cdrom floppy audio video plugdev Why does Debian do that? I have no freaking clue. It's not a terribly good idea. Especially since the the HAL/Devicekit stuff works so well so there should be no need for that. But they still do that, tradition I suppose. Now I can go and edit those things, but that will likely corrupt the FS and be difficult. But if I go: qemu -hda drive-image -hdc /dev/sdb Then I can mount any file system I like on that drive with or without my admin's approval. If he believed that by plugging in a USB drive that contains important files and by formatting the volume Ext3 and setting up file system permissions he could keep me from reading or writing to certain files then he would be sorely mistaken. So now it's obvious that any sort of file system level restrictions in Debian is completely worthless against the default user. But after that any new user defaults to no group membership except their own, so it's not too bad. Just as long as I don't get UID 1000 on Debian then any removable media is safe from me. :)
Fedora 12 and unprivileged package installation Posted Nov 21, 2009 0:15 UTC (Sat) by drag (subscriber, #31333) [Link]
... Debian is completely worthless against the default user ..
I meant to say:
.. Debian is completely worthless against the default user for removable
At least media that shows up with 'floppy' group.
Fedora 12 and unprivileged package installation Posted Nov 21, 2009 8:10 UTC (Sat) by bojan (subscriber, #14302) [Link]
> But it was wrong to have it as the default for all local users and it was wrong for them to do this without being more vocal about it.
Excellent summary of the whole thing.
Fedora 12 and unprivileged package installation Posted Nov 21, 2009 9:57 UTC (Sat) by NAR (subscriber, #1313) [Link] Prompting people for their own passwords for normal events conditions them to use weak passwords.I think installing software is not a normal event, but an exceptional. I install software about 2-3 times per year (after the initial OS installation, when it takes some time to get every necessary software). On the other hand as far as I understand, Fedora <12 used to ask the password only once in a session, so they had a fairly good compromise between security and usability that was broken with the upgrade...
Fedora 12 and unprivileged package installation Posted Nov 21, 2009 12:16 UTC (Sat) by tzafrir (subscriber, #11501) [Link]
Which brings up another such "exceptional" condition: adding an extra repository.
Is the typical Fedora "desktop" installation useful enough without adding such an extra repository?
Fedora 12 and unprivileged package installation Posted Nov 22, 2009 12:19 UTC (Sun) by NAR (subscriber, #1313) [Link]
Last time I've checked it wasn't useful. By the way, why does a desktop "single-user" installation has a root password at all? The recent IPhone worm showed how "useful" it is to have...
Fedora 12 and unprivileged package installation Posted Nov 25, 2009 20:37 UTC (Wed) by Baylink (guest, #755) [Link]
Well, if one lives in one's parents' basement, then people walking up to the machine is probably a lesser concern, yes. :-)
Fedora 12 and unprivileged package installation Posted Nov 21, 2009 12:38 UTC (Sat) by ballombe (subscriber, #9523) [Link]
I like to note that selinux is sometimes configured to forbid users to install shared library in their home dir.
> brw-rw---- 1 root floppy 8, 16 Nov 20 17:49 /dev/sdb
It is an udev configuration problem: as configured it tries to guess what
> But after that any new user defaults to no group membership except their own, so it's not too bad. Just as long as I don't get UID 1000 on Debian then any removable media is safe from me. :)
It should be noted that the extra groups are only added to the user
Nasty coverup Posted Nov 21, 2009 13:55 UTC (Sat) by man_ls (subscriber, #15091) [Link] But it was wrong to have it as the default for all local users and it was wrong for them to do this without being more vocal about it.Judging just from the article, the biggest mistake was not to silently make the change, but to disregard the opinions of their own users. And it doesn't look like there was a clear use case for installing software as non-root, just that they didn't want to admit their mistake. Not very professional, and something that on my own distribution would make me wary of all design decisions I am not aware of.
Fedora 12 and unprivileged package installation Posted Nov 21, 2009 17:03 UTC (Sat) by amonnet (subscriber, #54852) [Link]
I might look old fashionned, but i really enjoy the good old UNIX way to treat theses kind of permissions.
New PolicyKit, DeviceKit, IdontKnownWhatKit, with their balkanized permission configuration file, have me wanted to bang my head on a rock.
I really miss my old /etc/group, /etc/sudoers and /etc/security/group.conf when presented with a dialog box telling me i have no right to do something (and absolutely no understanding what configuration file i should change).
Fedora 12 and unprivileged package installation Posted Nov 23, 2009 1:53 UTC (Mon) by salimma (subscriber, #34460) [Link]
sudo is still available -- the first step I did after installing a Fedora/Red Hat system is to add myself to wheel and edit sudoers. There are cases where using yum from the command line is much faster (and customizable) than using PackageKit (and relying on PolicyKit to manage permissions)
Fedora 12 and unprivileged package installation Posted Nov 22, 2009 18:05 UTC (Sun) by nhippi (subscriber, #34640) [Link] Then I can mount any file system I like on that drive with or without my admin's approval. If he believed that by plugging in a USB drive that contains important files and by formatting the volume Ext3 and setting up file system permissions he could keep me from reading or writing to certain files then he would be sorely mistaken. If a admin believes ext3 makes files on usb stick safe the admin is not mistaken, the admin is stupid. Then again, it is known for at least last 10 years that granting hardware access by the traditional UNIX user:group setup just doesn't correlate with reality. Observe the historic discussion with /dev/dsp permissions. previously we had two choices: 1) add a user to "audio" group. ..means the user can remotely eavesdrop local users. 2) grant user access (by temporarily adding to audio group or by chowning it to the user) to /dev/dsp when logging into console and remove the permissions when logging out ..means the user can open /dev/dsp when visiting console, and leave a daemon reading it and remotely eavesdrop local users. same applies to floppies, usbsticks etc. Hopefully policykit etc will deal with it eventually.
Secure keyboard input Posted Nov 22, 2009 19:45 UTC (Sun) by epa (subscriber, #39769) [Link] It's trivial to install a keylogger.Which is why Linux desktops really need a secure attention sequence such as the Ctrl-Alt-Delete used by Windows (and before that, VMS). No application may trap that keystroke, and it leads you to a screen with only the password entry dialogue and (as far as I know) no communication with other parts of the desktop. It's kind of embarassing that for many years Windows has had better security than Linux in this one area. The 'schoolboy attack' of locking the screen and bringing up a fake password dialogue is also trivial. So I quite agree that conditioning users to type in their password (or, perhaps worse, the root password) all the time is a terribly bad idea. However, asking them to hit Ctrl-Alt-Delete and enter their password into a secure authentication screen will piss them off, and perhaps also condition them to ignore the boring message and just authorize the action every time, but at least it does not have the problem of keyloggers or trojan websites which pop up 'enter your password' dialogues. Non-technical users, who (demonstrably) cannot distinguish between genuine password prompts and bogus ones from malware, can at least be told to always hit Ctrl-Alt-Del before entering their password. It may not be enough, but at least it's something. (For remote access, a remote secure attention sequence is also possible; for example many Windows remote desktop clients have a 'send Ctrl-Alt-Del' menu option, which again cannot be intercepted by ordinary applications.)
Secure keyboard input Posted Nov 23, 2009 15:58 UTC (Mon) by drag (subscriber, #31333) [Link] If Linux can figure out a way to lock down things inside of a user account then that would benefit everybody massively.If you think about it (which you probably already understand completely, I am just talking about in a more general sense), right now all your most important and sensitive information is stored in your /home/$USERNAME directory. Especially for a single user system, which 70% of desktops apparently are, then getting root is not necessary at all for a attacker to have the most damage to that user. Root is only necessary for the attacker to go unnoticed. If they want to establish a rootkit or run some sort of secret network service then they'll need root. If they just want to steel your credit card information, gain access to your online accounts, or anything like that then root is unnecessary.
Secure keyboard input Posted Nov 23, 2009 18:35 UTC (Mon) by madscientist (subscriber, #16861) [Link]
Any really sensitive file in the user's home directory should be protected by account permissions so that non-root users wouldn't be able to modify, or even read, them. In addition, a number of distros already have the ability to encrpyt some or all of the user's home directory, so that casual observers can't read the files. I think the previous poster has an excellent point, though: if you don't have a foolproof way of getting back to a login prompt, you can't say much about any sort of password-based security, including encrpyted home directories.
Secure keyboard input Posted Nov 23, 2009 19:31 UTC (Mon) by cmccabe (subscriber, #60281) [Link]
> Which is why Linux desktops really need a secure attention sequence
> such as the Ctrl-Alt-Delete used by Windows (and before that, VMS). > No application may trap that keystroke, and it leads you to a screen > with only the password entry dialogue and (as far as I know) no > communication with other parts of the desktop.
That's a very good point. It's important to have a secure login path. This is an especially important issue in a shared computer lab, where people can log into any machine they like.
It would be nice if gnome or KDE could be configured to request an "uninterceptable" keystroke combination before allowing you to log in through gdm or xdm. I don't know enough about X input handling to know how feasible this would be.
C.
Secure keyboard input Posted Nov 25, 2009 23:59 UTC (Wed) by jmorris42 (subscriber, #2203) [Link]
Kids today..... :)
Fire up an xterm (a real one) and observe the first option on the menu if you press CTRL-F1 is Secure Keyboard. It is intended to be used for exactly the sort of thing you mention. X had thought of security and built it in long before NT 3.1 'invented' it, the GNOME/KDE kids simply forgot about that sort of thing along with most of the other good parts of X.
Seems to be a pattern with modern graphical free software development to repeat all of Microsoft's security mistakes and for the same reason. The mad rush to bring about 'the Year of Linux on the Desktop' is producing the exact same marketing based security policies that we have laughed our butts off over when Microsoft originally made em. But apparently we learned nothing.
Secure keyboard input Posted Nov 26, 2009 17:40 UTC (Thu) by mjg59 (subscriber, #23239) [Link]
So the attacker makes sure that your xterm is thunked with an LD_PRELOADed library that reports a successful grab without actually performing one. Xterm continues along its way and your password still gets grabbed. Xterm's grabs are intended to secure against hostile *X* applications that may be running on machines out of your control. That's simply not the common threat model any more, and instead it just results in people thinking that they're secure when they're not.
(Heck. The attacker could ignore X altogether and just thunk read and write in xterm and read everything going over the pty. You'd end up with a secure channel between the server and the xterm, which would win you absolutely nothing overall)
tone of the article Posted Dec 1, 2009 1:23 UTC (Tue) by louie (subscriber, #3285) [Link] That was quite a biased article... Sorry, but how can I be sure you presented the case fair when you have clear bias? I'd just like to ditto this. I have subscribed to LWN for years because it makes an attempt to really understand all sides of an issue before taking an editorial stance, and so I trust Jon's judgment. This article shows no such nuance or balance, which is a shame and not what I expect from LWN.
Fedora 12 and unprivileged package installation Posted Nov 20, 2009 23:49 UTC (Fri) by k8to (subscriber, #15413) [Link]
Making a system much more complicated than traditional UNIX only to satisfy a few current use cases is flawed thinking.
We now have a lot of new complexity. SELinux, PolicyKit, dbus, PackageKit. Linux, at least the Red Hat flavor, is getting harder to inspect, and harder to understand. This is not a path to long term success.
Fedora 12 and unprivileged package installation Posted Nov 21, 2009 10:28 UTC (Sat) by luya (subscriber, #50741) [Link]
Actually Policykit is not that hard the first time I used on Fedora 11. There are front-end (System->Preferences->Authorization on Gnome desktop) that allow configuration and fine-graining control unlike sudo (I have not for a long time because it is not a long term good choice).
Because that front-end is gone on Fedora 12 I have to relearn the policy setting from terminal (or using text-editor). The good thing about PolicyKit (Polkittool) is the ease of use and human readability.
Selinux has tremendously evolved. it is very easy to submit bug report so policy can be updated as soon as possible.
Packagekit is not hard at all although it does not have yumex complex functionality. However the ability to detect missing codec, fonts and the fact it is backend independent (yum, apt-deb, smart, conakry) cannot be overlooked. Because of my design field, I mostly use it for simple update and use yum for advanced function.
I think the biggest problem in this community is the fear of change and inertia for some traditional users. Let not forget Fedora is all about cutter technologies.
Fedora 12 and unprivileged package installation Posted Nov 21, 2009 17:34 UTC (Sat) by k8to (subscriber, #15413) [Link]
It's not about how hard it is to click the settings. It's about how hard it is to be sure that the settings do exactly what you expect them to do.
If you can't be sure of exactly what they're doing, then you aren't creating security, you're creating false comfort.
Fedora 12 and unprivileged package installation Posted Nov 21, 2009 19:57 UTC (Sat) by luya (subscriber, #50741) [Link]
Like using a tool without consulting a manual guide.
Security implications need to be thought through better Posted Nov 21, 2009 1:34 UTC (Sat) by JoeBuck (subscriber, #2330) [Link] It seems clear that there isn't anyone on the PolicyKit team who does what Bruce Schneier (among others) regularly urges: you need someone on your team who can think like a black hat. Given a proposed policy decision, what new attack vectors can it open up? Clearly there are SELinux folks who can think this way, but it doesn't seem that there's enough communication going on.
Fedora 12 and unprivileged package installation Posted Nov 21, 2009 3:55 UTC (Sat) by AdamW (guest, #48457) [Link]
There seem to be quite a lot of misconceptions flying around here.
One: "The responses from Hughes and David Zeuthen ("I'm not interested in this bike-shed or what color it is") in the thread angered quite a few."
It's perfectly sensible for David to say that, because this issue had absolutely nothing to do with David. David is the maintainer of PolicyKit. PolicyKit is a framework for defining policies. It does not, in itself, define any policies. Deciding what the authentication policies should be is not PolicyKit's job, and PolicyKit doesn't do it. So why should David care? His code doesn't set the policy, he was not involved in deciding the policy, and it's not his job to decide the policy.
Two: "Williamson stepped in quickly to stop that:"
Ah, you flatter me. ;) I don't have the power to stop anything. All I can do is express an opinion, based on the declared Fedora policies. I don't have any authority over anyone who posted a private comment in the bug. (I just barely outrank the laboratory mice around here...)
Three: comment from JoeBuck - "It seems clear that there isn't anyone on the PolicyKit team who does what Bruce Schneier (among others) regularly urges: you need someone on your team who can think like a black hat."
Joe, read point one above. PolicyKit is simply a framework. It doesn't define any policies. PolicyKit does absolutely nothing unless applications choose to use it for privilege escalation, rather than using su or sudo or consolehelper or whatever. And it's the _apps_ that define the policies. This policy was defined in PackageKit, not PolicyKit.
Fedora 12 and unprivileged package installation Posted Nov 21, 2009 5:30 UTC (Sat) by JoeBuck (subscriber, #2330) [Link] OK, I apologize to the PolicyKit people; it is the PackageKit team that needs someone who can think like a black hat.
Fedora 12 and unprivileged package installation Posted Nov 21, 2009 12:11 UTC (Sat) by hppnq (guest, #14462) [Link] In general, I would say it is all of them.
Fedora 12 and unprivileged package installation Posted Nov 21, 2009 16:34 UTC (Sat) by AdamW (guest, #48457) [Link]
Sort of a fair point, but for most distributions it's not practical to have a security expert working on every application which could possibly have security implications (...er, just about all of 'em). Hence, as has already been discussed, the improvement needed here is just to ensure that Fedora's processes ensure there's more oversight of potentially sensitive changes to any component. Seth Vidal is already working on a proposal for this.
Security policy expertise Posted Nov 21, 2009 19:06 UTC (Sat) by PO8 (guest, #41661) [Link] Wha? Nobody is asking you to have a security expert working on "every application". They're asking you to have a security expert working on the applications which control your security policy. Especially when those applications are new and present unique challenges. Any distro that can't afford that should stick with the tried-and-true UNIX security model and its implementation rather than trying to innovate in the security policy arena.
Fedora 12 and unprivileged package installation Posted Nov 21, 2009 19:50 UTC (Sat) by MarkWilliamson (guest, #30166) [Link]
To be fair, dismissing a legitimate debate as mere bike shedding was perhaps
not a very diplomatic way of phrasing things ;-)
Fedora 12 and unprivileged package installation Posted Nov 22, 2009 18:30 UTC (Sun) by mattdm (subscriber, #18) [Link]
We need some dismissive term for people who get over-enamored with the bike shed story and subsequently dismiss anyone who disagrees with them as bike shedding.
Fedora 12 and unprivileged package installation Posted Nov 22, 2009 22:39 UTC (Sun) by dark (subscriber, #8483) [Link] When the city council announces plans to demolish the local parks and playgrounds in order to construct bike sheds, the people who jump in with opinions are not just bikeshedding.
A removed feature Posted Nov 21, 2009 7:47 UTC (Sat) by NAR (subscriber, #1313) [Link] It turns out that the PolicyKit feature that was used (auth_admin_keep_always) was eliminated between PolicyKit 0.9 and 1.0, because it was considered to be a security problem.So the root cause of the problem is that a feature used by many was considered to be a security problem, then they introduced a new feature which is considered by many as a severe security problem?
A removed feature Posted Nov 21, 2009 17:36 UTC (Sat) by k8to (subscriber, #15413) [Link]
Yes. This is what you get when you shoot for security with lots of features.
Fedora 12 and unprivileged package installation Posted Nov 22, 2009 1:03 UTC (Sun) by kragil (guest, #34373) [Link]
Why only install and not update? I think just updates would have been sane.
BTW can this convenience feature be enabled in Ubuntu?
Fedora 12 and unprivileged package installation Posted Nov 23, 2009 1:13 UTC (Mon) by pspinler (subscriber, #2922) [Link]
Instead of inventing something completely different, could some existing framework like Opensolaris / Solaris 10's RBAC (http://www.softpanorama.org/Solaris/Security/solaris_rbac...) be used?
It'd have the advantage of already being in production several years, having a open source reference implementation in Opensolaris (although it'd have to be reimplemented due to license incompatibility) already having an LDAP schema for central administration, and already having a set of people knowledgeable about it.
-- Pat
Fedora 12 and unprivileged package installation Posted Nov 23, 2009 7:28 UTC (Mon) by hppnq (guest, #14462) [Link] We have had grsecurity for years. Quite popular, but developed outside of the kernel.
Fedora 12 and unprivileged package installation Posted Nov 23, 2009 8:58 UTC (Mon) by luya (subscriber, #50741) [Link]
Lets not forget PolicyKit is part of Freedesktop.org. It is somewhat similar Solaris RBAC in term of concept.
Fedora 12 and unprivileged package installation Posted Nov 23, 2009 17:01 UTC (Mon) by clugstj (subscriber, #4020) [Link]
Is anyone using RBAC in Solaris? Just because it is "in production" doesn't mean that it is any good.
Fedora 12 and unprivileged package installation Posted Nov 25, 2009 20:34 UTC (Wed) by Baylink (guest, #755) [Link]
My personal opinion is that if Hughes "doesn't particularly care how Unix has always worked", then he's in the wrong job.
If that's how Fedora runs, then I'm glad I'm a SuSE patriot. I feel vindicated in that choice.
*My* first distribution was Tandy Xenix 1.3 and SCO Xenix 2.2.1. How long has Hughes been doing this?
Fedora 12 and unprivileged package installation Posted Nov 25, 2009 20:38 UTC (Wed) by miguelzinho (subscriber, #40535) [Link]
That's what I always say: Fedora is just a playground for Red Hat. Community participation my ass: all the core packages are controlled by Red Hat employees dictates what goes in or not; servers are hosted at Red Hat; that's new to me, they can make private comments, WTF?
Fedora 12 and unprivileged package installation Posted Nov 25, 2009 23:01 UTC (Wed) by Tara_Li (subscriber, #26706) [Link]
You have to admit, the normal situation makes life easier in a way:
You end up with three kinds of people:
1) The people who have their own computer, with root access, and can install anything they like.
2) The people who's computer is managed by someone else, and they can install nothing.
3) A few people who can think well enough to install binary tarballs, or if the appropriate toolchain is installed on their computer, they can actually compile from source code.
It certainly simplifies things for the package maintainers - they don't have to bother looking to see if root is installing the package, and therefore everyone can use the program, or if a user is installing the package, in which case the files should be stored in *THEIR* home directory, and the program is not available to everyone else.
Of course, how many admins actually want to give their users access to something like a compiler! That's just asking for them to be able to use their computers in ways the admin doesn't want them to.
Fedora 12 and unprivileged package installation Posted Dec 1, 2009 13:38 UTC (Tue) by simlo (subscriber, #10866) [Link]
Isn't the main problem that RPMs can't be installed in the users home directory instead of /? Then any user could install any RPM he wants to without being root. Ofcourse, it wouldn't make sense for system level programs, but for normal applications it would be really nice. It would require a lot of changes to each RPM, but I would say it would be worth it instead of opening for security hacks like these.
Otherwise, / should be uid dependent and therefore each user could see his own version of the installed software base without affecting the other users or the system. I think I read somewhere, that Plan9 can do just this. Can namespaces in Linux be used for this?
Fedora 12 and unprivileged package installation Posted Dec 3, 2009 23:26 UTC (Thu) by nix (subscriber, #2304) [Link]
Filesystem namespaces can be used for this, but allowing users to modify a
private copy of / has security implications: many many programs assume that things in /etc aren't modifiable except by privileged users (trivial example: /etc/passwd, /etc/shadow).
Fedora 12 and unprivileged package installation Posted Dec 5, 2009 23:23 UTC (Sat) by kasperd (guest, #11842) [Link]
If you want to go that way, I think the rpms should be installed in a directory named something similar to /var/usr/$USER.
The entire hierarchy under /var/usr should be writable only by some system user, installing packages should be done by a program that is suid to that user.
If two users installs the same package, then the files can be hardlinked into both users' directories. The program to perform the install can also manage some sort of quotas.
Obviously it should not be possible to install any suid or sgid executables or any device inodes. Running the install as a non-root user guarantees part of that.
There is a problem with how programs find their files. They would either need to be modified to use the USER environment variable, or you would need a symlink somewhere that magically points to /var/usr/$USER and then use paths through that. (There are already symlinks in /proc that magically changes depending on which process access them, so adding another magical symlink doesn't seem too far fetched). Of course it may still be problematic that an rpm can either be installed in the normal location by root or a different location by somebody else. Could be worked around by building two versions of each rpm.
The only reason I suggest a directory name depending on the user is, that one user installing a program shouldn't cause that program to show up in another user's path. Each user would have /var/usr/$USER/bin in their path, and only see programs they want to see there.
If some files are accessed by a path that is determined at compile time, maybe those should be put into a common directory instead. That would avoid most of the user dependent path requirements. Say user1 installs app with a binary named app and a library named libapp.so.1, then each file of the two files could be hardlinked in two locations.
/var/usr/user1/bin/app
And user1 would access /var/usr/user1/bin/app from the path which would then use /var/usr/common/lib/libapp.so.1. The common directories shouldn't be in any path, but if you want to specify the absolute path to for example an executable you would use the one in /var/usr/common/bin/app.
I may have missed some details that would need to be figured out, but I'm pretty sure it can be made to work within the normal unix security model, if anybody wants to do the work.
Fedora 12 and unprivileged package installation Posted Dec 6, 2009 1:52 UTC (Sun) by nix (subscriber, #2304) [Link]
I think that's half-right. You want the /var/usr/$USER idea, sure, but it
is bind-mounted by pam_mount into a per-user private mount, maybe /usr/usr (ew, maybe somewhere else) and *that* is what is referenced in PATHs.
(Most of the rest of your post is talking about problems that GNU stow and
Fedora 12 and unprivileged package installation Posted Jul 15, 2011 17:20 UTC (Fri) by fuhchee (subscriber, #40059) [Link]
"Since the release, and all of the publicity and complaints, the maintainers of PackageKit have decided to remove the feature."
It came back a few months later.
|
|||||||||||||