Fedora 12 lets unprivileged users install packages

Wow. The Debian OpenSSL fiasco left many a red-faced Debian developer and user, and made me wonder about my decision to choose Debian.

Looks like the Fedora crowd now have their very own WTF, so I don't feel so bad.

Wheel group. The end. No need to invent more crap
or fancy mechanics to deal with basic security we had solved years ago.

Wow. Totally absurd. Apparently you can't remove software this way either, only add it.

The comments are also pretty crazy too. David Zeuthen compares this to automounting storage devices. Hello? Automounting storage devices only happens when I am in the same room as the computer, inserting a new storage device.

So far I haven't seen a single user who asked for this, or thinks it's a good idea. Apparently it's time to forget about using "desktop" spins of Fedora. What's particularly sad is that security is one of the areas where Fedora still has an advantage over Ubuntu.

C.

A while back it was pointed out that the same 'security' facility was permitting non-root users to arbitrarily change the system time. The same voices took that same "but it's a desktop distribution!" and "you can turn it off by running <byzantine command never heard of by any unix admin>" kinds of positions.

What I really don't get is the dichotomy of also shipping SELinux by default which prohibits many things that Unix has classically allowed and can be quite tricky to deal with, even with all the tools Fedora has added, while at the same time giving regular users non-trivial swaths of root access without authentication.

Fedora used to have share a clear and auditable default security policy with most the rest of unixdom. Today it's a fedora specific undocumented mismash which changes from version to version that you have to use windows registry like tools to interact with.

My first look into the Fedora community. In response to user concerns on this issue, the comments from those I think may be senior Fedora people to the users include:
"I don't care"
"There's nothing to discuss here"
"Your rationale appears to be missing"
"before you complain too much"
"You either trust the Fedora repos or you don't"
"It's not insecure"
"the default policy may not be to your taste"

Really gives the user a warm welcome feeling!

I'm used to respectful, relevant and issue-related discussion in the Mandriva bug reporting environment, even if I made some error in having reported an apparent issue.

Remember vrms, that silly little tool in Debian that nags you when you install non-free software packages? Maybe we need a version that nags you about packages with "kit" in their names.

To those who complain: I'm just wondering, how many of you have potentially malicious local users?

And those who do, is there anyone who was, until now, using completely default installations without locking down anything (such as ability to shut down or suspend the system when a single local user, removing ability to automount media, etc.)?

This seems to be the default in Fedora 11 as well.

Adding software using the menus (System -> Administration -> Add/Remove Software) doesn't require a root password, or in fact any sort of password.

I must admit the first time I saw this I thought it was kind of neat...

WTF!!! Who is making the decisions here? Apparently not the users. Oh wait... User are the people who are running Ubuntu.

I can't really understand objections to this policy.

This would only seem to be a problem in the case that a user is logged in with the ability to elevate their privileges to install a package, then they go away leaving it unlocked, and another person starts using it and installs some software.

It's unlikely that you've let a malicious user physically access your unlocked machine while you're logged in but not present, and in this case they could already do far more damage than installing some software - they have unfettered access to your $HOME after all.

I just can't think of any circumstances in which this could cause any problems.

I am making the following assumptions:

1) This policy only allows users to install packages without a password, in cases where they previously would have been able to *with* one. This is my most important assumption and might be the point where opinions differ; if I'm wrong about this one then that would change things.

2) A corporate deployment of Fedora won't allow users to install packages, even *with* their password, so there is no change.

Less important ones:

3) The majority of home computers are used by only one user (Microsoft found that over 70% of computers are only ever used by one person)

4) The *overwhelming* majority of home computers are used by one or an small number of users, and anyone with access to it will already be able to install packages by entering their password.

5) A guest account could be created which requires no password, and has very limited permissions (for people who want to let somebody else use their computer).

I'm a CS student in charge of managing the workstations around here, some of which are Linux. And my reaction to this is: "WAT."

Just because something is in an official repository doesn't mean I'm totally okay with it being on my computer and my network. A clever student could manually compile some of those programs I specifically chose not to install, but if they need to be setuid (which a lot of the iffy ones do) then that won't help them much. If someone can be trusted to install software at a whim, then why aren't they already a sudoer?

Now it happens that I don't run Fedora on anything, but I *know* that a lot of admins of Linux workstations out there are not even gonna realize this is enabled till it bites them somehow. It totally goes against the principle of least surprise, as it's not expected behavior at all.

I was reading through the comments on the mailing list and I realize now
that having signed packages is insufficient to guarantee the security of
the packages.

The reason is because if a person uses a malicious mirror they can retain
outdated copies of the packages that contain known vulnerabilities. Then
they can trick administrators into using these outdated mirrors through a
MITM attack or DNS poisoning or something like that.

However this is a vulnerability for any method of updating your system.
This affects, but is not reserved to PackageKit... yum/apt-get/wget
pipes/etc are affected.

So the solution is that the server you download the lists of packages from
must be authenticated and communication must be secure through mechanisms
like TLS. Now the packages themselves don't have to be downloaded via a
TLS/SSL secured server because they are signed.. but the package management
system must always have the updated lists provided through a more secure
mechanism.

I don't have time to read the discussion (largely rehashed from prior discussions, I imagine) about the advantages and disadvantages of letting any user request system-wide package installation, but there are various working environments where letting users benefit from distribution packages would be a hugely beneficial thing. Of course, such packages would be installed as owned by the user, in the user's own area, and wouldn't be able to interact with privileged resources.

A while back, I took debootstrap, fakeroot and fakechroot and made a small project which combined them to let me install user-local packages on Debian/Ubuntu systems. While this was likely to be incomplete and possibly flawed (and unnecessary on my own personal machine), it would be hugely beneficial for me at work where I'm between a rock (being an unprivileged user on a Red Hat system) and a hard place (having to endure the usual institution-wide policies about software installation). Maybe I can use febootstrap and find a Fedora repository which is compatible with RHEL.

Not letting unprivileged users benefit from the system packaging infrastructure just drives people to niche package distribution systems like CPAN, Ruby Gems and Python's easy_install. Although these systems have their adherents, they are poor replacements for the infrastructure that may already be in place, but which is inaccessible to the disempowered end-user.

I'd like to see end-user package management done the right way: harnessing RPMs and Debian packages under the user's own privileges in order to automate (or bypass, really) the grunt-work of having to {.configure, make, make install} a bunch of libraries just to have access to a benign application that isn't likely to get installed by an administrator.