|
|
Subscribe / Log in / New account

Fedora 12 to remove unprivileged package installation

Fedora 12 to remove unprivileged package installation

Posted Nov 20, 2009 16:08 UTC (Fri) by clugstj (subscriber, #4020)
In reply to: Fedora 12 to remove unprivileged package installation by drag
Parent article: Fedora 12 to remove unprivileged package installation

Wow, still trying to justify bad decisions. I haven't seen any use case that couldn't have been much more easily and transparently handled by "sudo". Putting this change in without even having it show up in the release notes deserves all the flaming that has been done - even if it had been a good idea.

to post comments

Fedora 12 to remove unprivileged package installation

Posted Nov 20, 2009 16:24 UTC (Fri) by drag (guest, #31333) [Link] (5 responses)

Well if your talking about granting passwordless ability to install packages to all local users then Fedora
screwed up on two accounts:

1. Did not put it in the release announcements.

2. Made it default for all local users. It should of only been the default for the initial user.

That was the big mistakes.

The passwordless stuff is actually a good feature though. Asking for the user's password is just
security theater because they have already proven their identity through passwords by being able to
log in before. In addition to that prompting users for their user password offers almost no protection
against attacker dwelling in their user account.

This is a huge misconception that prompting the user for their password multiple times is useful
security. It actually is more likely to make things worse since it encourages bad password policy and
numbs the user against real security concerns. Prompting them for the root password is counter
productive since the whole goal is to eliminate access to root in addition to promoting the same bad
password behaviors and encouraging the user to ignore real security concerns.

The number #1 threat to Linux desktop security is weak passwords. Requiring the user to use the
same passwords multiple times or requiring them to use passwords for regular events is making the
problem worse. Regularly popping up warning dialogs is very bad also. Either they have the rights to
perform the action or they don't.. bugging them over and over again when they have rights to the
action is very 'windows-like' in it's bad behavior.

If you still desire a password for regular desktop events then it should probably be a third 'admin'
password that is not root and is not the user's password. Even though that is still mostly theater it's
probably a good compormize.

Fedora 12 to remove unprivileged package installation

Posted Nov 20, 2009 16:33 UTC (Fri) by clugstj (subscriber, #4020) [Link] (4 responses)

Still haven't seen a use case that would have been difficult/impossible to implement with "sudo". Why the wheel reinvention?

Fedora 12 to remove unprivileged package installation

Posted Nov 20, 2009 16:47 UTC (Fri) by drag (guest, #31333) [Link] (3 responses)

> Still haven't seen a use case that would have been difficult/impossible to implement with "sudo". Why the wheel reinvention?

The use case is "Being able to perform daily desktop activities without granting access to the root account". That's all. Like I said people are trying to make this too complicated or something. I don't know.

The one use case that most people are probably using now and don't give a shit about is the ability to hotplug cameras and USB devices on their desktops. I haven't heard anybody screaming about this for a long time.. not since it was initially introduced and they mistakenly setup the policy for Gnome users to automount any volume and not just removable media.

That's traditionally root-only action that eliminated a big reason for using sudo on the desktop and increased the usability of the Linux desktop in a huge way. No root password prompt and no user password prompt. This goes for cdroms, usb keys, cameras, and other things. Would it make sense to deny the users this feature if they are not members of wheel and go back to requiring them to use sudo if they were members?

The ability to perform that action is configurable through policykit and users can decide the automount policy through configuring apps residing entirely in their user account. Administrators can configure all of this through the policykit/sabayon type stuff combined with other *kit things.

Fedora 12 to remove unprivileged package installation

Posted Nov 20, 2009 19:45 UTC (Fri) by dskoll (subscriber, #1630) [Link] (2 responses)

The use case is "Being able to perform daily desktop activities without granting access to the root account". That's all.

sudo grants restricted access to the root account. So does Policy Kit. The technical details differ (sudo does it in-process with a SUID binary; Policy Kit does it via IPC to a daemon running as root), but you're just quibbling over semantics by claiming that Policy Kit does not grant "access to the root account."

Note that I have no strong preferences for sudo over Policy Kit except for the general observation that very granular and tweakable security facilities are often harder to get right than less granular ones. However, as long as distros do a good job of providing sensible Policy Kit defaults, then Policy Kit is fine. The big issue was that F12's (now reverted) policy was not very sensible.

Fedora 12 to remove unprivileged package installation

Posted Nov 20, 2009 21:18 UTC (Fri) by drag (guest, #31333) [Link] (1 responses)

Yeah. The defaults were not that sensible. Only one user should be administrator and it should of been apparent in the release documentation.

However the Dbus IPC is sockets-based. Nothing exotic like a shared memory scheme or anything like that. It gives users root access via those privileged daemons in the a similar manner that having httpd running as root gives remote users root access over port 80.

So ya any security issues in dbus itself or the dbus libraries that applications use would quite easily lead to a compromise and that is something that distros and developers are going to have to be very careful about. As long as that is audited and user supplied input over dbus is carefully managed then it should reduce the attack vector for attackers seeking local root exploits by quite a bit for typical desktop users (vs traditional linux desktop were open sudo and su access are regularly used features)

Policy Kit vs sudo

Posted Nov 20, 2009 22:07 UTC (Fri) by dskoll (subscriber, #1630) [Link]

However the Dbus IPC is sockets-based. Nothing exotic like a shared memory scheme or anything like that. It gives users root access via those privileged daemons in the a similar manner that having httpd running as root gives remote users root access over port 80.

Except there are two huge differences:

  • No-one runs httpd as root. It drops privileges immediately after creating the listening socket.
  • The Policy Kit daemon is explicitly designed to run as root and do root-privileged things. That's its whole purpose, after all!

So it's not the case that all the security lies in dbus. The security lies in dbus and the policy kit daemon and in making sure your policies are correctly implemented. It's the last two (especially the last one) that will cause trouble.

I'm not convinced that a root-privileged daemon that sanitizes its input is any more or less secure than a SUID binary that sanitizes its environment, etc. It seems to me neither approach is inherently more or less secure.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds