Fedora 12 and unprivileged package installation
Posted Nov 21, 2009 0:10 UTC (Sat) by drag
In reply to: Fedora 12 and unprivileged package installation
Parent article: Fedora 12 and unprivileged package installation
I wouldn't call it "slashdot worthy". That's just mean. He's smart and does
a good job expressing his editorial opinion. :)
But it was wrong to have it as the default for all local users and it was
wrong for them to do this without being more vocal about it. This is not
_huge_ fuck-ups, but it's something that in 20-20 hindsight is something
fairly obvious and they should learn from that.
But security is a very difficult thing, right?
Prompting people for their own passwords for normal events conditions them
to use weak passwords. They have already proven their identity by being
able to log into the system in the first place. Asking them again is just
redundant. It's like forcing people to use their house key in order to
access the bathroom. Prompting people for root passwords just means that
they will use weak root passwords and will condition them to accept typing
in root password as a normal event.
In addition to that it does not provide any real additional security. If a
attacker has subverted your system or you do not trust the software your
running in your home environment then additional passwords provide no real
It's trivial to install a keylogger. Especially with 'xrecord' extension
that is built-in everybody's X server. If it was not for the fact that it
is broken in newer versions of Xorg's X server I could right a 30-line
python program (in addition to python-xlib) that would capture every
keystroke you type in and save it to a file or send it over the network. It
does not require any root rights or any privileges beyond access to your
user's account. It is probably very likely that it's still quite easy for
people to do keystroke loggers even with a broken Xrecord. There are a
dozen different programs that are designed specifically to do that for
doing automation or training or scripting or whatever. Like 'Xnee' (which
And people ignore pop-ups. After I've seen the same pop up 2-3 times I will
ignore it or (accidentally) ignore anything that looks almost exactly like
that. It's human nature. So that is not the answer either, except when a
event is rare.
"""Another way to solve this, is for desktop users just to install the app
per user (thus requiring no extra permissions). But we are stuck in
designing software that manages software, which is very nice for sysadmins
or others who want to sysadm their laptop ;)"""
They can already do that.
I used to regularly install video games and proprietary software and
similar things to my ~/Apps directory. I started doing that since I noticed
that most video games (like ID Quake3) tended to use really shitty file
system permissions. Fixing damage typical games and proprietary software
did to my directory tree was always a pain, so I always tried to avoid
giving them root access when ever possible. (I fixed this by avoiding using
proprietary now whenever possible). There is even a entire ~/.local/
directory for most Linux users you can install things to that most people
have never noticed.
Sure you can run 'ldconfig' and add library paths, but that's easy enough
to work around with simple shell scripts that you use to launch
Hell, you can run entire operating systems if you want entirely from your
home directory using Qemu (or KVM if you have that configured correctly).
This has some interesting security issues. For example:
My user cannot mount file systems on their own, not without using 'su' or
'sudo' to elevate privileges. They can use policykit to mount things, but
whatever. Lets see what happens when I plug in a USB drive into my system:
$ ls -l /dev/sdb
brw-rw---- 1 root floppy 8, 16 Nov 20 17:49 /dev/sdb
Notice something interesting? Lets look at the defaults for my user:
drag dialout cdrom floppy audio video plugdev
Why does Debian do that? I have no freaking clue. It's not a terribly good
idea. Especially since the the HAL/Devicekit stuff works so well so there
should be no need for that. But they still do that, tradition I suppose.
Now I can go and edit those things, but that will likely corrupt the FS and
be difficult. But if I go:
qemu -hda drive-image -hdc /dev/sdb
Then I can mount any file system I like on that drive with or without my
admin's approval. If he believed that by plugging in a USB drive that
contains important files and by formatting the volume Ext3 and setting up
file system permissions he could keep me from reading or writing to certain
files then he would be sorely mistaken. So now it's obvious that any sort
of file system level restrictions in Debian is completely worthless against
the default user.
But after that any new user defaults to no group membership except their
own, so it's not too bad. Just as long as I don't get UID 1000 on Debian
then any removable media is safe from me. :)
to post comments)