Local users get to play root?

[nodata]

Yikes! When was it decided that non-root users get to play root?

Ref:
 https://bugzilla.redhat.com/show_bug.cgi?id=534047

This is horrible!

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Rahul Sundaram]

On 11/18/2009 10:38 PM, nodata wrote:
> Yikes! When was it decided that non-root users get to play root?
> 
> Ref:
>  https://bugzilla.redhat.com/show_bug.cgi?id=534047
> 
> This is horrible!

The subject of the mail doesn't actually match the description in the
bug report.  Richard Hughes says:

"PackageKit allows you to install signed content from signed
repositories without a password by default. It only asks you to
authenticate if anything is unsigned or the signatures are wrong"

If you have a problem with this, do explain why. Not suggesting it is
not a problem but being more descriptive does help.

Rahul

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Debayan Banerjee]

2009/11/18 Rahul Sundaram :

>
> If you have a problem with this, do explain why. Not suggesting it is
> not a problem but being more descriptive does help.

Well, the security is dependent on the strength of the
repository/package signature verification scheme. I am not sure how
that is done exactly. Perhaps someone could shed some light.

>

-- 
Regards,
Debayan Banerjee

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Jonathan Underwood]

2009/11/18 Rahul Sundaram :
> On 11/18/2009 10:38 PM, nodata wrote:
>> Yikes! When was it decided that non-root users get to play root?
>>
>> Ref:
>>  https://bugzilla.redhat.com/show_bug.cgi?id=534047
>>
>> This is horrible!
>
> The subject of the mail doesn't actually match the description in the
> bug report.  Richard Hughes says:
>
> "PackageKit allows you to install signed content from signed
> repositories without a password by default. It only asks you to
> authenticate if anything is unsigned or the signatures are wrong"
>
> If you have a problem with this, do explain why. Not suggesting it is
> not a problem but being more descriptive does help.


Well, it's all a bit inconsistent presently:


$ yum install maxima
Loaded plugins: presto, refresh-packagekit
You need to be root to perform this command.
$ maxima
Command not found. Install package 'maxima' to provide command 'maxima'? [N/y]
 * Installing packages..
 * Getting information..
 * Resolving dependencies..
The following packages have to be installed:
 sbcl-1.0.30-2.fc12.x86_64  Steel Bank Common Lisp
 wxBase-2.8.10-6.fc12.x86_64Non-GUI support classes from the wxWidgets 
library
 wxGTK-2.8.10-6.fc12.x86_64 GTK2 port of the wxWidgets GUI library
 gnuplot-common-4.2.6-1.fc12.x86_64 common gnuplot parts
 cl-asdf-20071110-7.fc12.noarch Another System Definition Facility
 gnuplot-4.2.6-1.fc12.x86_64A program for plotting mathematical
expressions and data
 maxima-runtime-sbcl-5.19.2-1.fc12.x86_64   Maxima compiled with SBCL
 common-lisp-controller-6.15-8.fc12.noarch  Common Lisp source and
compiler manager
Proceed with changes? [N/y]
 * Waiting for authentication..
 * Running..
 * Resolving dependencies..
 * Downloading packages..
 * Testing changes..
 * Installing packages..
 * Scanning applications.. [...@withnail ~]$ Command not found.
Install package 'maxima' to provide command 'maxima'? [N/y] ^C


... and what's more it bails with "command not found" anyway which
component isn't working here?

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Bastien Nocera]

On Wed, 2009-11-18 at 18:08 +0100, nodata wrote:
> Yikes! When was it decided that non-root users get to play root?
> 
> Ref:
>   https://bugzilla.redhat.com/show_bug.cgi?id=534047
> 
> This is horrible!

Seems fair as the default for a desktop installation.

Once we get the new user management stuff into F13 [1], we'd probably
tighten that rule so that only admins are given the option, or all users
but with the need to authenticate as an admin.

[1]: https://fedoraproject.org/wiki/Features/UserAccountDialog

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[nodata]

Am 2009-11-18 18:08, schrieb nodata:

Yikes! When was it decided that non-root users get to play root?

Ref:
https://bugzilla.redhat.com/show_bug.cgi?id=534047

This is horrible!



Just to elaborate:

A local user is allowed to install software on the machine without being 
prompted for the root password.


This is a recipe for disaster in my opinion.

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Jon Ciesla]

nodata wrote:

Am 2009-11-18 18:08, schrieb nodata:

Yikes! When was it decided that non-root users get to play root?

Ref:
https://bugzilla.redhat.com/show_bug.cgi?id=534047

This is horrible!



Just to elaborate:

A local user is allowed to install software on the machine without 
being prompted for the root password.


This is a recipe for disaster in my opinion.


So much for granting shell access on my servers. . .

--
in your fear, seek only peace
in your fear, seek only love

-d. bowie

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[nodata]

Am 2009-11-18 18:14, schrieb Rahul Sundaram:

On 11/18/2009 10:38 PM, nodata wrote:

Yikes! When was it decided that non-root users get to play root?

Ref:
  https://bugzilla.redhat.com/show_bug.cgi?id=534047

This is horrible!


The subject of the mail doesn't actually match the description in the
bug report.  Richard Hughes says:

"PackageKit allows you to install signed content from signed
repositories without a password by default. It only asks you to
authenticate if anything is unsigned or the signatures are wrong"

If you have a problem with this, do explain why. Not suggesting it is
not a problem but being more descriptive does help.

Rahul



Thanks. I have changed the title to:
"All users get to install software on a machine they do not have the 
root password to"


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Seth Vidal]

On Wed, 18 Nov 2009, Jon Ciesla wrote:


nodata wrote:

Am 2009-11-18 18:08, schrieb nodata:

Yikes! When was it decided that non-root users get to play root?

Ref:
https://bugzilla.redhat.com/show_bug.cgi?id=534047

This is horrible!



Just to elaborate:

A local user is allowed to install software on the machine without being 
prompted for the root password.


This is a recipe for disaster in my opinion.


So much for granting shell access on my servers. . .


You have PackageKit installed on servers? really?


-sv

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[nodata]

Am 2009-11-18 18:45, schrieb Bastien Nocera:

On Wed, 2009-11-18 at 18:08 +0100, nodata wrote:

Yikes! When was it decided that non-root users get to play root?

Ref:
   https://bugzilla.redhat.com/show_bug.cgi?id=534047

This is horrible!


Seems fair as the default for a desktop installation.


It's the opposite behaviour to what is the known behaviour of Linux.

The default should be for the superuser to manage the box, with an 
option for him or her to allow all users to install software on the box.




Once we get the new user management stuff into F13 [1], we'd probably
tighten that rule so that only admins are given the option, or all users
but with the need to authenticate as an admin.

[1]: https://fedoraproject.org/wiki/Features/UserAccountDialog



--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Rahul Sundaram]

On 11/18/2009 11:19 PM, nodata wrote:

> 
> Thanks. I have changed the title to:
> "All users get to install software on a machine they do not have the
> root password to"

.. if the packages are signed and from a signed repository. So, you left
out the important part. Explain why this is a problem in a bit more
detail.

Rahul

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Ralf Corsepius]

On 11/18/2009 06:14 PM, Rahul Sundaram wrote:

On 11/18/2009 10:38 PM, nodata wrote:




"PackageKit allows you to install signed content from signed
repositories without a password by default. It only asks you to
authenticate if anything is unsigned or the signatures are wrong"

If you have a problem with this, do explain why.

a) It contradicts multi user working principles.
"Arbitrary console user" is able to kill the application his fellow 
worker, who is logged in from remote, is working with


b) What if an upgrade fails badly?

c) What if an upgrade requires a reboot.


Not suggesting it is
not a problem but being more descriptive does help.


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[nodata]

Am 2009-11-18 18:48, schrieb Rahul Sundaram:

On 11/18/2009 11:19 PM, nodata wrote:



Thanks. I have changed the title to:
"All users get to install software on a machine they do not have the
root password to"


.. if the packages are signed and from a signed repository. So, you left
out the important part. Explain why this is a problem in a bit more
detail.

Rahul




Why is it a problem? For all of the reasons that it has never been a 
problem before. For the reason that the user is not the administrator or 
the box, for the reason that the user is the user for a reason, for the 
reason that by default Linux should act like Linux, for the reason that 
the default is bad, for the reason that this is undocumented, for the 
reason that it assumes automatic updates are enabled, for the reason 
that the user is not the one with knowledge of the box and what 
resources are available on it, for the reason that it may be against 
corporate policy, for the reason of change management...


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Jon Ciesla]

Seth Vidal wrote:



On Wed, 18 Nov 2009, Jon Ciesla wrote:


nodata wrote:

Am 2009-11-18 18:08, schrieb nodata:

Yikes! When was it decided that non-root users get to play root?

Ref:
https://bugzilla.redhat.com/show_bug.cgi?id=534047

This is horrible!



Just to elaborate:

A local user is allowed to install software on the machine without 
being prompted for the root password.


This is a recipe for disaster in my opinion.


So much for granting shell access on my servers. . .


You have PackageKit installed on servers? really?


-sv

I do if it's in the default DVD install, or was pulled in in an 
upgrade.  I've never intentionally installed it, and yes I do.  Never 
imagined it would be a problem.  I'll remove it.


--
in your fear, seek only peace
in your fear, seek only love

-d. bowie

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Dennis J.]

On 11/18/2009 06:49 PM, Seth Vidal wrote:



On Wed, 18 Nov 2009, Jon Ciesla wrote:


nodata wrote:

Am 2009-11-18 18:08, schrieb nodata:

Yikes! When was it decided that non-root users get to play root?

Ref:
https://bugzilla.redhat.com/show_bug.cgi?id=534047

This is horrible!



Just to elaborate:

A local user is allowed to install software on the machine without
being prompted for the root password.

This is a recipe for disaster in my opinion.


So much for granting shell access on my servers. . .


You have PackageKit installed on servers? really?


Why shouldn't he? AFAIK there is nothing in the package warning users not 
to install this on a server.


What is the appropriate way to audit this kind of stuff? Presuming that 
PackageKit uses PolicyKit to aquire the necessary privileges is there a way 
to query PolicyKit and ask "show me all instances where a process can 
acquire root privileges without being asked for a password"?


I don't think it's a good idea to rely on admins knowing the magic 
handshake (or in this case the magic package list of dangerous apps) for 
security.


Regards,
  Dennis

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Rahul Sundaram]

On 11/18/2009 11:27 PM, nodata wrote:

> Why is it a problem? For all of the reasons that it has never been a
> problem before. For the reason that the user is not the administrator or
> the box, for the reason that the user is the user for a reason, for the
> reason that by default Linux should act like Linux, for the reason that
> the default is bad, 

All of these seems rather circular.

for the reason that this is undocumented,

I have asked for more documentation already which I consider a valid point.

for the
> reason that it assumes automatic updates are enabled,

I am not sure why you say that?  Automatic updates are not enabled by
default.

 for the reason
> that the user is not the one with knowledge of the box and what
> resources are available on it, for the reason that it may be against
> corporate policy, for the reason of change management...

Should the defaults be targeted towards home users or corporate desktop
considering the short lifecycle of Fedora and the target audience?  I am
not sure there are corporate deployments but wouldn't they be heavily
customized their desktop deployments and kickstarting it anyway?

Rahul

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Seth Vidal]

On Wed, 18 Nov 2009, Jon Ciesla wrote:


Seth Vidal wrote:



On Wed, 18 Nov 2009, Jon Ciesla wrote:


nodata wrote:

Am 2009-11-18 18:08, schrieb nodata:

Yikes! When was it decided that non-root users get to play root?

Ref:
https://bugzilla.redhat.com/show_bug.cgi?id=534047

This is horrible!



Just to elaborate:

A local user is allowed to install software on the machine without being 
prompted for the root password.


This is a recipe for disaster in my opinion.


So much for granting shell access on my servers. . .


You have PackageKit installed on servers? really?


-sv

I do if it's in the default DVD install, or was pulled in in an upgrade. 
I've never intentionally installed it, and yes I do.  Never imagined it would 
be a problem.  I'll remove it.




Maybe you and I have a different concept of 'Servers'. But I tend to 
install @core only and then remove items whenever I can for a server.


If it is a bad day I'll install X b/c something requires it but for 
servers I try to avoid anything beside the barest minimal I can have.


-sv

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Seth Vidal]

On Wed, 18 Nov 2009, Dennis J. wrote:


You have PackageKit installed on servers? really?


Why shouldn't he? AFAIK there is nothing in the package warning users not to 
install this on a server.


like I said in another email - I think of installing things on servers as 
'barest minimal' and then adding things I require. Nothing else.


Maybe I'm in the minority.

-sv

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[nodata]

Am 2009-11-18 19:04, schrieb Seth Vidal:



On Wed, 18 Nov 2009, Jon Ciesla wrote:


Seth Vidal wrote:



On Wed, 18 Nov 2009, Jon Ciesla wrote:


nodata wrote:

Am 2009-11-18 18:08, schrieb nodata:

Yikes! When was it decided that non-root users get to play root?

Ref:
https://bugzilla.redhat.com/show_bug.cgi?id=534047

This is horrible!



Just to elaborate:

A local user is allowed to install software on the machine without
being prompted for the root password.

This is a recipe for disaster in my opinion.


So much for granting shell access on my servers. . .


You have PackageKit installed on servers? really?


-sv


I do if it's in the default DVD install, or was pulled in in an
upgrade. I've never intentionally installed it, and yes I do. Never
imagined it would be a problem. I'll remove it.



Maybe you and I have a different concept of 'Servers'. But I tend to
install @core only and then remove items whenever I can for a server.

If it is a bad day I'll install X b/c something requires it but for
servers I try to avoid anything beside the barest minimal I can have.

-sv



Maybe you have a different concept of security, but I don't want any 
user on the server installing software, no matter what.



--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Jon Ciesla]

Seth Vidal wrote:



On Wed, 18 Nov 2009, Jon Ciesla wrote:


Seth Vidal wrote:



On Wed, 18 Nov 2009, Jon Ciesla wrote:


nodata wrote:

Am 2009-11-18 18:08, schrieb nodata:

Yikes! When was it decided that non-root users get to play root?

Ref:
https://bugzilla.redhat.com/show_bug.cgi?id=534047

This is horrible!



Just to elaborate:

A local user is allowed to install software on the machine without 
being prompted for the root password.


This is a recipe for disaster in my opinion.


So much for granting shell access on my servers. . .


You have PackageKit installed on servers? really?


-sv

I do if it's in the default DVD install, or was pulled in in an 
upgrade. I've never intentionally installed it, and yes I do.  Never 
imagined it would be a problem.  I'll remove it.




Maybe you and I have a different concept of 'Servers'. But I tend to 
install @core only and then remove items whenever I can for a server.


If it is a bad day I'll install X b/c something requires it but for 
servers I try to avoid anything beside the barest minimal I can have.


-sv

That's generally my MO as well.  Sometime, however, as I have mostly 
legacy hardware, some machines need to perform multiple functions.  
Really, though sometimes it's nice to tunnel a GUI through SSH, if I 
want to browse the repo that way.  Usually yum search, etc is enough.  
Sometimes it's not, quite.


--
in your fear, seek only peace
in your fear, seek only love

-d. bowie

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Seth Vidal]

On Wed, 18 Nov 2009, nodata wrote:


-sv


I do if it's in the default DVD install, or was pulled in in an
upgrade. I've never intentionally installed it, and yes I do. Never
imagined it would be a problem. I'll remove it.



Maybe you and I have a different concept of 'Servers'. But I tend to
install @core only and then remove items whenever I can for a server.

If it is a bad day I'll install X b/c something requires it but for
servers I try to avoid anything beside the barest minimal I can have.

-sv



Maybe you have a different concept of security, but I don't want any user on 
the server installing software, no matter what.


right - which is why I wouldn't install PK on a server.

yum doesn't allow users to install pkgs, only root.

-sv

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Bruno Wolff III]

On Wed, Nov 18, 2009 at 23:18:28 +0530,
  Rahul Sundaram  wrote:
> On 11/18/2009 11:19 PM, nodata wrote:
> 
> > 
> > Thanks. I have changed the title to:
> > "All users get to install software on a machine they do not have the
> > root password to"
> 
> .. if the packages are signed and from a signed repository. So, you left
> out the important part. Explain why this is a problem in a bit more
> detail.

Besides other issues listed, the packages being installed may be privileged
programs that the admin doesn't want on the system, may start services or
schedule runs at specified times by default which might considered a
problem by the admin, the extra packages may use up too much disk space
and cause problems.

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Jon Ciesla]

Seth Vidal wrote:



On Wed, 18 Nov 2009, nodata wrote:


-sv


I do if it's in the default DVD install, or was pulled in in an
upgrade. I've never intentionally installed it, and yes I do. Never
imagined it would be a problem. I'll remove it.



Maybe you and I have a different concept of 'Servers'. But I tend to
install @core only and then remove items whenever I can for a server.

If it is a bad day I'll install X b/c something requires it but for
servers I try to avoid anything beside the barest minimal I can have.

-sv



Maybe you have a different concept of security, but I don't want any 
user on the server installing software, no matter what.


right - which is why I wouldn't install PK on a server.

yum doesn't allow users to install pkgs, only root.

-sv

I just found PackageKit on a server that's never been anything but.  It 
was installed fith FC-2, which IIRC is pre-PackageKit.  Does this mean 
it was pulled in by something else that no longer requires it?


--
in your fear, seek only peace
in your fear, seek only love

-d. bowie

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Bruno Wolff III]

On Wed, Nov 18, 2009 at 17:45:26 +,
  Bastien Nocera  wrote:
> 
> Once we get the new user management stuff into F13 [1], we'd probably
> tighten that rule so that only admins are given the option, or all users
> but with the need to authenticate as an admin.

This seems pretty reasonable.

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Simo Sorce]

On Wed, 2009-11-18 at 17:45 +, Bastien Nocera wrote:
> On Wed, 2009-11-18 at 18:08 +0100, nodata wrote:
> > Yikes! When was it decided that non-root users get to play root?
> > 
> > Ref:
> >   https://bugzilla.redhat.com/show_bug.cgi?id=534047
> > 
> > This is horrible!
> 
> Seems fair as the default for a desktop installation.
> 
> Once we get the new user management stuff into F13 [1], we'd probably
> tighten that rule so that only admins are given the option, or all users
> but with the need to authenticate as an admin.
> 
> [1]: https://fedoraproject.org/wiki/Features/UserAccountDialog

And what's wrong with the previous behavior where you were explicitly
requested (through a checkbox) whether you liked to give this privilege
to users or not ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Colin Walters]

Hi,

On Wed, Nov 18, 2009 at 12:08 PM, nodata  wrote:
> Yikes! When was it decided that non-root users get to play root?

This is hardly the first "uid 0" operation we've granted users access
to in the operating system, and it won't be the last.  For example, on
a timesharing Unix system, non-uid 0 can't reboot the machine, but
it's clearly silly to ask for a root password to reboot for the
unmanaged case, so years ago the "consolehelper" system was added, and
that privilege is currently given to users at a physical display for
the machine.

We've used the "console" concept as our only tool in this respect for
a long time, and PolicyKit will ultimately replace all of it with a
far more fine grained system.

So you raise a reasonable issue, which is how do you know when the
defaults change, or new privileges are added?  We don't have a very
good system for that now; ideally we would detect when new packages
are added to @gnome-desktop that include PolicyKit policies, and use
that as a basis for release notes type of thing.

But, bottom line, if you're administering a Fedora-derived desktop,
you will need to get familiar with PolicyKit, and you may need to
tweak the defaults, which are more targeted for the self-managed case.

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Seth Vidal]

On Wed, 18 Nov 2009, Jon Ciesla wrote:


Seth Vidal wrote:



On Wed, 18 Nov 2009, nodata wrote:


-sv


I do if it's in the default DVD install, or was pulled in in an
upgrade. I've never intentionally installed it, and yes I do. Never
imagined it would be a problem. I'll remove it.



Maybe you and I have a different concept of 'Servers'. But I tend to
install @core only and then remove items whenever I can for a server.

If it is a bad day I'll install X b/c something requires it but for
servers I try to avoid anything beside the barest minimal I can have.

-sv



Maybe you have a different concept of security, but I don't want any user 
on the server installing software, no matter what.


right - which is why I wouldn't install PK on a server.

yum doesn't allow users to install pkgs, only root.

-sv

I just found PackageKit on a server that's never been anything but.  It was 
installed fith FC-2, which IIRC is pre-PackageKit.  Does this mean it was 
pulled in by something else that no longer requires it?




Did you 'yum update' the box from fc-2 to whatever it is now? or how did 
you get there?


-sv

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Rahul Sundaram]

On 11/18/2009 11:44 PM, Bruno Wolff III wrote:
> 
> Besides other issues listed, the packages being installed may be privileged
> programs that the admin doesn't want on the system, may start services or
> schedule runs at specified times by default which might considered a
> problem by the admin, the extra packages may use up too much disk space
> and cause problems.

This assumes the user is different from a admin, which is not true for a
personal desktop.  This revolves back to what the default target
audience should be.  PackageKit target audience is defined at

http://www.packagekit.org/pk-profiles.html

If it doesn't match what Fedora wants, then it should be tweaked but the
larger question should be addressed first.

Rahul

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Konstantin Ryabitsev]

2009/11/18 Jon Ciesla :
>> A local user is allowed to install software on the machine without being
>> prompted for the root password.
>>
>> This is a recipe for disaster in my opinion.
>>
> So much for granting shell access on my servers. . .

I may be wrong, but I understand that this behaviour of PackageKit
only applies to users with direct console access (i.e. not remote
shells). So, only users that are logged in via GDM or TTY would be
able to perform such tasks.

This significantly limits the number of users with powers to install
signed software -- almost to the point of where it sounds like a fair
trade-off. If someone has physical access to the machine, then heck --
it's not like they don't already effectively "own" it.

Not saying it's a good default policy -- but let's cool our heads.

Regards,
-- 
McGill University IT Security
Konstantin Ryabitsev
Montréal, Québec

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Seth Vidal]

On Wed, 18 Nov 2009, Konstantin Ryabitsev wrote:


2009/11/18 Jon Ciesla :

A local user is allowed to install software on the machine without being
prompted for the root password.

This is a recipe for disaster in my opinion.


So much for granting shell access on my servers. . .


I may be wrong, but I understand that this behaviour of PackageKit
only applies to users with direct console access (i.e. not remote
shells). So, only users that are logged in via GDM or TTY would be
able to perform such tasks.

This significantly limits the number of users with powers to install
signed software -- almost to the point of where it sounds like a fair
trade-off. If someone has physical access to the machine, then heck --
it's not like they don't already effectively "own" it.

Not saying it's a good default policy -- but let's cool our heads.


might be worth testing that feature with pkcon from an ssh terminal. I've 
not done that yet but I think it would be worth checking out.


-sv

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Rahul Sundaram]

On 11/18/2009 11:48 PM, Colin Walters wrote:

> So you raise a reasonable issue, which is how do you know when the
> defaults change, or new privileges are added?  We don't have a very
> good system for that now; ideally we would detect when new packages
> are added to @gnome-desktop that include PolicyKit policies, and use
> that as a basis for release notes type of thing.
> 
> But, bottom line, if you're administering a Fedora-derived desktop,
> you will need to get familiar with PolicyKit, and you may need to
> tweak the defaults, which are more targeted for the self-managed case.

Detailed documentation and release notes must have been done as part of
this change however. Can that be provided now, so that we can update the
release notes?

Rahul

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[nodata]

Am 2009-11-18 19:18, schrieb Colin Walters:

Hi,

On Wed, Nov 18, 2009 at 12:08 PM, nodata  wrote:

Yikes! When was it decided that non-root users get to play root?


This is hardly the first "uid 0" operation we've granted users access
to in the operating system, and it won't be the last.  For example, on
a timesharing Unix system, non-uid 0 can't reboot the machine, but
it's clearly silly to ask for a root password to reboot for the
unmanaged case, so years ago the "consolehelper" system was added, and
that privilege is currently given to users at a physical display for
the machine.

We've used the "console" concept as our only tool in this respect for
a long time, and PolicyKit will ultimately replace all of it with a
far more fine grained system.

So you raise a reasonable issue, which is how do you know when the
defaults change, or new privileges are added?  We don't have a very
good system for that now; ideally we would detect when new packages
are added to @gnome-desktop that include PolicyKit policies, and use
that as a basis for release notes type of thing.

But, bottom line, if you're administering a Fedora-derived desktop,
you will need to get familiar with PolicyKit, and you may need to
tweak the defaults, which are more targeted for the self-managed case.



This is a major change. I vote for secure by default.

If the admin wishes this "surprise-root" feature to be enabled he can 
enable it.


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Bruno Wolff III]

On Wed, Nov 18, 2009 at 13:05:31 -0500,
  Seth Vidal  wrote:
> 
> like I said in another email - I think of installing things on
> servers as 'barest minimal' and then adding things I require.
> Nothing else.
> 
> Maybe I'm in the minority.

I don't like the idea of packages being installed meaning I want them to run
services, schedule cron jobs or give elevated access by default. This kind
of thing makes it easy to shoot yourself in the foot. The purpose of not
installing packages should be to save disk space and resources needed for
updates, not security and integrity.

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Seth Vidal]

On Wed, 18 Nov 2009, Bruno Wolff III wrote:


On Wed, Nov 18, 2009 at 23:18:28 +0530,
 Rahul Sundaram  wrote:

On 11/18/2009 11:19 PM, nodata wrote:



Thanks. I have changed the title to:
"All users get to install software on a machine they do not have the
root password to"


.. if the packages are signed and from a signed repository. So, you left
out the important part. Explain why this is a problem in a bit more
detail.


Besides other issues listed, the packages being installed may be privileged
programs that the admin doesn't want on the system, may start services or
schedule runs at specified times by default which might considered a
problem by the admin, the extra packages may use up too much disk space
and cause problems.


If there are pkgs which run daemons which are defaulting to ON when 
installed or on next reboot - then we should be auditing those pkgs. Last 
I checked we default to OFF and that should continue to be the case.


-sv

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Simo Sorce]

On Wed, 2009-11-18 at 23:29 +0530, Rahul Sundaram wrote:
> 
> Should the defaults be targeted towards home users or corporate
> desktop
> considering the short lifecycle of Fedora and the target audience?  I
> am
> not sure there are corporate deployments but wouldn't they be heavily
> customized their desktop deployments and kickstarting it anyway?

I am not a corporation yet *I* manage the machines I have at home, and
if *I* give an account to my friend foo *I* don't want him to be able to
install nothing without asking me first, not even by mistake.

For better of worse even desktop Linux is a multi-user system and this
default is just crap and totally unnecessary given the previous version
allowed you to allow a user forever explicitly and without hassles.

This way I have to *fsck* remember each time to change it, this is
*wrong*, it doesn't respect the basic philosophy of least surprise.

I would almost consider it a security vulnerability and ask for a CVE to
be issued.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[James Antill]

On Wed, 2009-11-18 at 23:18 +0530, Rahul Sundaram wrote:
> On 11/18/2009 11:19 PM, nodata wrote:
> 
> > 
> > Thanks. I have changed the title to:
> > "All users get to install software on a machine they do not have the
> > root password to"
> 
> .. if the packages are signed and from a signed repository. So, you left
> out the important part. Explain why this is a problem in a bit more
> detail.

 That is important, and personally I have a lot of sympathy for some of
the desired use cases¹ I've heard about.
 On the other hand this does open up a lot of ways to attack the system,
esp. given that there is _no_ authentication ... as I had expected that
code running as the user would still have to authenticate as the user
(Hello Linux virus makers, welcome to the party).
 Off the top of my head, these are the first things I'd look at for
attacking a system with PK and this config:

1. Does "install" of obsoleting packages come under the same auth. (if
so I can now arbitrarily upgrade certain packages).

2. Does "install" of installonly come under the same auth. (if so I can
now stop kernel upgrades).

3. Are there any attacks due to disk space used? Eg. If /var is low² I
can probably install enough pkgs to make logging stop.

4. Are there any attacks against packages with "default on" services?
(Note that you can almost certainly wait until there is an attack, and
then install the insecure service).

5. Are there any attacks against packages with set*id apps? (Dito. with
the waiting approach in #4).

6. Are there any attacks against packages which provide plugins? (Dito.
waiting)

7. And the most obvious one ... how hard is it to get a bad package into
one of the repos. that the machine has enabled.


¹ Things like letting a spouse/child install a new
game/theme/editor/etc. without having to get "their admin" to do it.

² If /var is on a separate partition then spamming /var/tmp is a goood
first step here.

-- 
James Antill - ja...@fedoraproject.org
http://yum.baseurl.org/wiki/releases
http://yum.baseurl.org/wiki/whatsnew/3.2.25
http://yum.baseurl.org/wiki/YumMultipleMachineCaching

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Seth Vidal]

On Wed, 18 Nov 2009, nodata wrote:


Am 2009-11-18 19:18, schrieb Colin Walters:

This is a major change. I vote for secure by default.

If the admin wishes this "surprise-root" feature to be enabled he can enable 
it.


I'm not sure how this is 'surprise root'. IT will only allow installs of 
pkgs signed with a key you trust from a repo you've setup.


which pretty much means: if the admin trusts the repo, then it is okay.

if the admin doesn't trust the repo it should NOT be on the box and 
enabled b/c an untrusted repo can nuke your entire world.


-sv

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Dennis J.]

On 11/18/2009 07:05 PM, Seth Vidal wrote:



On Wed, 18 Nov 2009, Dennis J. wrote:


You have PackageKit installed on servers? really?


Why shouldn't he? AFAIK there is nothing in the package warning users
not to install this on a server.


like I said in another email - I think of installing things on servers
as 'barest minimal' and then adding things I require. Nothing else.

Maybe I'm in the minority.


In fact I agree with you but this doesn't really address my point.
How do you make sure the packages that are part of your minimal list don't 
introduce such a backdoor with the next update?
I think the existence of PolicyKit actually could allow us to query it in 
the way i mentioned in my previous mail and get a quick picture of the 
privileges applications have access to. Consider it the PK equivalent of 
scanning your filesystems for setuid files.


Regards,
  Dennis

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Simo Sorce]

On Wed, 2009-11-18 at 13:10 -0500, Seth Vidal wrote:
> > Maybe you have a different concept of security, but I don't want any
> user on 
> > the server installing software, no matter what.
> 
> right - which is why I wouldn't install PK on a server.
> 
> yum doesn't allow users to install pkgs, only root.

Seth, the fact you prefer to use yum doesn't make it right to have an
insecure-by-default policy.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Simo Sorce]

On Wed, 2009-11-18 at 12:16 -0600, Bruno Wolff III wrote:
> On Wed, Nov 18, 2009 at 17:45:26 +,
>   Bastien Nocera  wrote:
> > 
> > Once we get the new user management stuff into F13 [1], we'd probably
> > tighten that rule so that only admins are given the option, or all users
> > but with the need to authenticate as an admin.
> 
> This seems pretty reasonable.

In the meanwhile the F-11 policy was just fine.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Konstantin Ryabitsev]

2009/11/18 Seth Vidal :
>> I may be wrong, but I understand that this behaviour of PackageKit
>> only applies to users with direct console access (i.e. not remote
>> shells). So, only users that are logged in via GDM or TTY would be
>> able to perform such tasks.
>>
>> This significantly limits the number of users with powers to install
>> signed software -- almost to the point of where it sounds like a fair
>> trade-off. If someone has physical access to the machine, then heck --
>> it's not like they don't already effectively "own" it.
>>
>> Not saying it's a good default policy -- but let's cool our heads.
>
> might be worth testing that feature with pkcon from an ssh terminal. I've
> not done that yet but I think it would be worth checking out.

Looks to be the case:

bu...@localhost's password:
[bu...@smaug ~]$ uqm
Command not found. Install package 'uqm' to provide command 'uqm'? [N/y]
 * Installing packages..
 * Getting information..
 * Resolving dependencies..
The following packages have to be installed:
 autodownloader-0.3.0-3.fc12.noarch GUI-tool to automate the download
of certain files
Proceed with changes? [N/y]
 * Waiting for authentication.. The transaction failed:
not-authorized, Failed to obtain authentication.
[bu...@smaug ~]$

Let's calm down now, please. :)

-- 
McGill University IT Security
Konstantin Ryabitsev
Montréal, Québec

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Seth Vidal]

On Wed, 18 Nov 2009, James Antill wrote:



1. Does "install" of obsoleting packages come under the same auth. (if
so I can now arbitrarily upgrade certain packages).

2. Does "install" of installonly come under the same auth. (if so I can
now stop kernel upgrades).


+1


4. Are there any attacks against packages with "default on" services?
(Note that you can almost certainly wait until there is an attack, and
then install the insecure service).


And if we have default on services then I think we should take a good 
LOONG look at them.



7. And the most obvious one ... how hard is it to get a bad package into
one of the repos. that the machine has enabled.


+many

-sv

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Seth Vidal]

On Wed, 18 Nov 2009, Simo Sorce wrote:


On Wed, 2009-11-18 at 13:10 -0500, Seth Vidal wrote:

Maybe you have a different concept of security, but I don't want any

user on

the server installing software, no matter what.


right - which is why I wouldn't install PK on a server.

yum doesn't allow users to install pkgs, only root.


Seth, the fact you prefer to use yum doesn't make it right to have an
insecure-by-default policy.



I didn't say it did - I said it didn't make sense to have items like PK on 
servers.


-sv

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Bruno Wolff III]

On Wed, Nov 18, 2009 at 13:22:03 -0500,
  Seth Vidal  wrote:
> 
> If there are pkgs which run daemons which are defaulting to ON when
> installed or on next reboot - then we should be auditing those pkgs.
> Last I checked we default to OFF and that should continue to be the
> case.

There definitely is some user oriented stuff that gets run by default, but
maybe only when using a desktop. Bluetooth seems to work that way. Installing
beagle and another indexing program I noticed recently but don't remember the
name of, schedule indexing operations by default. There is a mail client that
has an annoying desktop popup by the default just for having it installed.
There are other things that are needed for lots of stuff to function, such
as pulseaudio, so it's not always clear cut what the proper default should be.

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Simo Sorce]

On Wed, 2009-11-18 at 13:19 -0500, Konstantin Ryabitsev wrote:
> This significantly limits the number of users with powers to install
> signed software -- almost to the point of where it sounds like a fair
> trade-off. If someone has physical access to the machine, then heck --
> it's not like they don't already effectively "own" it.

Most of my users wouldn't be able to "own" it even if I let a root shell
open, but they would definitely be able to install or remove packages
using the GUI.

The difference is huge.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Jon Ciesla]

Seth Vidal wrote:



On Wed, 18 Nov 2009, Jon Ciesla wrote:


Seth Vidal wrote:



On Wed, 18 Nov 2009, nodata wrote:


-sv


I do if it's in the default DVD install, or was pulled in in an
upgrade. I've never intentionally installed it, and yes I do. Never
imagined it would be a problem. I'll remove it.



Maybe you and I have a different concept of 'Servers'. But I tend to
install @core only and then remove items whenever I can for a server.

If it is a bad day I'll install X b/c something requires it but for
servers I try to avoid anything beside the barest minimal I can have.

-sv



Maybe you have a different concept of security, but I don't want 
any user on the server installing software, no matter what.


right - which is why I wouldn't install PK on a server.

yum doesn't allow users to install pkgs, only root.

-sv

I just found PackageKit on a server that's never been anything but.  
It was installed fith FC-2, which IIRC is pre-PackageKit.  Does this 
mean it was pulled in by something else that no longer requires it?




Did you 'yum update' the box from fc-2 to whatever it is now? or how 
did you get there?


-sv


Yes, precisely, one release at a time.  Plan to do 12 in a few days.

--
in your fear, seek only peace
in your fear, seek only love

-d. bowie

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Robert Locke]

On Wed, 2009-11-18 at 13:05 -0500, Seth Vidal wrote:
> 
> On Wed, 18 Nov 2009, Dennis J. wrote:
> 
> >> You have PackageKit installed on servers? really?
> >
> > Why shouldn't he? AFAIK there is nothing in the package warning users not 
> > to 
> > install this on a server.
> 
> like I said in another email - I think of installing things on servers as 
> 'barest minimal' and then adding things I require. Nothing else.
> 
> Maybe I'm in the minority.
> 

I think the phrase would be "shrinking majority"

Picture Windows Server for a moment.  Now picture that admin coming over
to administer a new Linux server. What's he gonna install? Click 
repeatedly.

Not to mention the number of gui administrative tools that are getting
front billing or even becoming stated mandatory options for certain
applications, and, yes, we can always X11Forward, vnc or some such to
"remotely" administer with those tools, but it still means that the GUI
is being installed on "more servers" and the folks developing these GUI
tools had better be security conscious in choosing "defaults" I
don't think this one was a *good* choice.

--Rob

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Seth Vidal]

On Wed, 18 Nov 2009, Dennis J. wrote:



In fact I agree with you but this doesn't really address my point.
How do you make sure the packages that are part of your minimal list don't 
introduce such a backdoor with the next update?


You check them.

That's the best you can do.

It's just like anything else:

How are you sure no one introduces a package into 'updates' which 
obsoletes glibc? We check them and hope we catch problems.


-sv

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Simo Sorce]

On Wed, 2009-11-18 at 13:23 -0500, Seth Vidal wrote:
> I'm not sure how this is 'surprise root'. IT will only allow installs
> of 
> pkgs signed with a key you trust from a repo you've setup.
> 
> which pretty much means: if the admin trusts the repo, then it is
> okay.
> 
> if the admin doesn't trust the repo it should NOT be on the box and 
> enabled b/c an untrusted repo can nuke your entire world.

I may trust the repo, that doesn't mean I want to allow installation of
any package that happens to live on that repo.

The problem is the *Default* not the fact that you can consciously allow
users to update without a password.

On some machines I allow that no problem cause I explained the users how
to do things, on some others not, and most importantly I do that per
user.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[nodata]

Am 2009-11-18 19:28, schrieb Seth Vidal:



On Wed, 18 Nov 2009, Simo Sorce wrote:


On Wed, 2009-11-18 at 13:10 -0500, Seth Vidal wrote:

Maybe you have a different concept of security, but I don't want any

user on

the server installing software, no matter what.


right - which is why I wouldn't install PK on a server.

yum doesn't allow users to install pkgs, only root.


Seth, the fact you prefer to use yum doesn't make it right to have an
insecure-by-default policy.



I didn't say it did - I said it didn't make sense to have items like PK
on servers.



It doesn't make sense to define the security setup of a machine based on 
"oh well packagekit is installed, so it must be a desktop machine for 
which there is one or maybe two primary users who are all trusted to 
decide if they want to install software".


The fact is that there is quite a lot of badly written software that 
requires X to install. In fact, Red Hat's documentation tends to assume 
that X is installed by default. So do Red Hat's courses. And even their 
toolset. Ever used system-config-lvm-tui? No, it doesn't exist.


If X is there, PackageKit is there. The claimed link between the 
intended use and security profile of a machine depending on whether 
PackageKit is installed makes no sense.


It doesn't matter if I or you prefer @core on our servers, the customers 
want X because they're new to Linux and feel comfortable with it. They 
won't have some arcane knowledge about the disconnect between yum and 
rpm with packagekit, and how sometimes you have to be root, sometimes 
you don't.


Secure by default please, otherwise turn off selinux by default.

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Simo Sorce]

On Wed, 2009-11-18 at 13:28 -0500, Seth Vidal wrote:
> 
> On Wed, 18 Nov 2009, Simo Sorce wrote:
> 
> > On Wed, 2009-11-18 at 13:10 -0500, Seth Vidal wrote:
> >>> Maybe you have a different concept of security, but I don't want any
> >> user on
> >>> the server installing software, no matter what.
> >>
> >> right - which is why I wouldn't install PK on a server.
> >>
> >> yum doesn't allow users to install pkgs, only root.
> >
> > Seth, the fact you prefer to use yum doesn't make it right to have an
> > insecure-by-default policy.
> >
> 
> I didn't say it did - I said it didn't make sense to have items like PK on 
> servers.

add "for me" and I can agree with you.

Note I also don't like to install "desktop grade" packages on servers,
but that's just a preference, and should in no way change the security
of the machine.

Conscious choices: +1
Insecure defaults: -1
Difficult to find out how to change insecure defaults: -10

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Konstantin Ryabitsev]

2009/11/18 Simo Sorce :
> On Wed, 2009-11-18 at 13:19 -0500, Konstantin Ryabitsev wrote:
>> This significantly limits the number of users with powers to install
>> signed software -- almost to the point of where it sounds like a fair
>> trade-off. If someone has physical access to the machine, then heck --
>> it's not like they don't already effectively "own" it.
>
> Most of my users wouldn't be able to "own" it even if I let a root shell
> open, but they would definitely be able to install or remove packages
> using the GUI.
>
> The difference is huge.

If I have physical access to your machine, I'll own it. I may have to
use tools to get to the HDD, but it's only a question of time and
dedication.

Now, there can be situations where someone has access to the TTY
console or GDM (usually when it's a VM guest or a machine behind a
network KVM), but most often, if someone can log in on the console,
they are sitting in front of the physical box, to which they have full
access.

Regards,
-- 
McGill University IT Security
Konstantin Ryabitsev
Montréal, Québec

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[nodata]

Am 2009-11-18 19:23, schrieb Seth Vidal:



On Wed, 18 Nov 2009, nodata wrote:


Am 2009-11-18 19:18, schrieb Colin Walters:

This is a major change. I vote for secure by default.

If the admin wishes this "surprise-root" feature to be enabled he can
enable it.


I'm not sure how this is 'surprise root'. IT will only allow installs of
pkgs signed with a key you trust from a repo you've setup.

which pretty much means: if the admin trusts the repo, then it is okay.


Err no. Admins trusts software he has chosen to install from the repo. I 
definitely don't want a user configuring an ftp server or running 
anything with a cronjob on a server I look after.


If software starts running on a server that I didn't put there, it gets 
taken offline.


But this is missing the point! PackageKit != non-server, abandon the 
defaults.



if the admin doesn't trust the repo it should NOT be on the box and
enabled b/c an untrusted repo can nuke your entire world.


It's not about trusting a repo, it's about trusting the user.

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[nodata]

Am 2009-11-18 19:16, schrieb Bruno Wolff III:

On Wed, Nov 18, 2009 at 17:45:26 +,
   Bastien Nocera  wrote:


Once we get the new user management stuff into F13 [1], we'd probably
tighten that rule so that only admins are given the option, or all users
but with the need to authenticate as an admin.


This seems pretty reasonable.


I don't like the way Fedora is going with this: digging out something 
that works and saying "we'll replace it later" makes no sense. Make it 
work now, or *keep it in*.


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Simo Sorce]

On Wed, 2009-11-18 at 13:41 -0500, Konstantin Ryabitsev wrote:
> 2009/11/18 Simo Sorce :
> > On Wed, 2009-11-18 at 13:19 -0500, Konstantin Ryabitsev wrote:
> >> This significantly limits the number of users with powers to install
> >> signed software -- almost to the point of where it sounds like a fair
> >> trade-off. If someone has physical access to the machine, then heck --
> >> it's not like they don't already effectively "own" it.
> >
> > Most of my users wouldn't be able to "own" it even if I let a root shell
> > open, but they would definitely be able to install or remove packages
> > using the GUI.
> >
> > The difference is huge.
> 
> If I have physical access to your machine, I'll own it. I may have to
> use tools to get to the HDD, but it's only a question of time and
> dedication.

*you* are not one of my users, and this has nothing to do with *you*
hacking in my machine. If I have physical access to a machine I do not
even care about what's installed on it. In 99% of the cases I will just
be able to boot from a live cd. That's a completely different issue.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Chris Adams]

Once upon a time, Rahul Sundaram  said:
> .. if the packages are signed and from a signed repository. So, you left
> out the important part. Explain why this is a problem in a bit more
> detail.

Fedora has made a big push into the multi-user desktop (which many home
computers are now) with things like fast user switching.  In many such
setups, not all users are considered "administrators" of the system
(think parents and kids for example).  However, Fedora continues to slip
in (with no announcement and no documentation on how to change) things
that allow the console user to be an administrator without any
additional authentication.

The answer here has been "well root should lock it down".  With the
ever-increasing complexity of the system, it is becoming more difficult
than ever to find (or even know about) all of the ways a system musth be
locked down.  "find / -perm +6000" doesn't cut it anymore, but there's
no documentation of all the ways a regular user can do administrative
tasks without an administrative password.

It seems the latest way of doing this is via PolicyKit.  IMHO all
PolicyKit configuration should be "secure by default", and then desktop
spins can include overrides in /etc to loosen-up security where desired.
This would also make it much easier to find and clearer to see what
might should be changed for local policy.

Right now, I see files /usr/share/PolicyKit/policy; I guess that's where
this kind of thing comes from.  How do I override the settings in one of
these files?  None of them are marked "config", so I guess I don't edit
them.  Are there other places such policy can be set?

-- 
Chris Adams 
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Dennis J.]

On 11/18/2009 07:30 PM, Seth Vidal wrote:



On Wed, 18 Nov 2009, Dennis J. wrote:



In fact I agree with you but this doesn't really address my point.
How do you make sure the packages that are part of your minimal list
don't introduce such a backdoor with the next update?


You check them.

That's the best you can do.

It's just like anything else:

How are you sure no one introduces a package into 'updates' which
obsoletes glibc? We check them and hope we catch problems.


Changing policy is not the same as introducing a problem. There should at 
least be a process for packages to go through if they want to make changes 
like PackageKit did so that this kind of thing shows up on peoples radars 
earlier can be peer-reviewed and if necessary be mentioned in the 
release-notes. Also these changes should probably not be introduced for 
updates between releases.
My basic point is that changes that allow packages to elevate their 
privileges should set of some process based formal alarm when they are 
introduced rather than being discovered by accident after a release.


Regards,
  Dennis


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Tony Nelson]

On 09-11-18 13:44:43, nodata wrote:
> Am 2009-11-18 19:16, schrieb Bruno Wolff III:
> > On Wed, Nov 18, 2009 at 17:45:26 +,
> >Bastien Nocera  wrote:
> >>
> >> Once we get the new user management stuff into F13 [1], we'd
> >> probably tighten that rule so that only admins are given the 
> >> option, or all users but with the need to authenticate as an 
> >> admin.
> >
> > This seems pretty reasonable.
> 
> I don't like the way Fedora is going with this: digging out something 
> that works and saying "we'll replace it later" makes no sense. Make 
> it work now, or *keep it in*.

Fedora has always been this way.  Have you tried to use sound or video 
in the past few releases?  I think it's called "creative destruction".

-- 

TonyN.:'   
  '  

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[nodata]

Am 2009-11-18 19:50, schrieb Tony Nelson:

On 09-11-18 13:44:43, nodata wrote:

Am 2009-11-18 19:16, schrieb Bruno Wolff III:

On Wed, Nov 18, 2009 at 17:45:26 +,
Bastien Nocera   wrote:


Once we get the new user management stuff into F13 [1], we'd
probably tighten that rule so that only admins are given the
option, or all users but with the need to authenticate as an
admin.


This seems pretty reasonable.


I don't like the way Fedora is going with this: digging out something
that works and saying "we'll replace it later" makes no sense. Make
it work now, or *keep it in*.


Fedora has always been this way.  Have you tried to use sound or video
in the past few releases?  I think it's called "creative destruction".


and ripping out the boot log for several releases... that was the 
opposite of helpful.


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Jesse Keating]

On Wed, 2009-11-18 at 13:22 -0500, James Antill wrote:
> 
> 7. And the most obvious one ... how hard is it to get a bad package into
> one of the repos. that the machine has enabled. 

Right, PK is counting on this being sufficiently difficult enough to
prevent bad things from happening.  While I'd like to think that, and
would like to say that, I can't.

-- 
Jesse Keating
Fedora -- Freedom² is a feature!
identi.ca: http://identi.ca/jkeating


signature.asc
Description: This is a digitally signed message part
-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Casey Dahlin]

On 11/18/2009 01:14 PM, Rahul Sundaram wrote:
> On 11/18/2009 11:44 PM, Bruno Wolff III wrote:
>>
>> Besides other issues listed, the packages being installed may be privileged
>> programs that the admin doesn't want on the system, may start services or
>> schedule runs at specified times by default which might considered a
>> problem by the admin, the extra packages may use up too much disk space
>> and cause problems.
> 
> This assumes the user is different from a admin, which is not true for a
> personal desktop.  This revolves back to what the default target
> audience should be.  PackageKit target audience is defined at
> 
> http://www.packagekit.org/pk-profiles.html
> 
> If it doesn't match what Fedora wants, then it should be tweaked but the
> larger question should be addressed first.
> 
> Rahul
> 

Security-relevant defaults aren't set for the common case. They're set for the 
tightest case. For the desktop user maybe this works fine. For the server user, 
we've killed our security guarantee completely. It doesn't matter if you can 
change it. If the system boots so much as once with the default setup it may 
/already be too late/. By the admin's first opportunity to change the settings 
the box could already be rooted.

--CJD

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[nodata]

Am 2009-11-18 19:14, schrieb Rahul Sundaram:

On 11/18/2009 11:44 PM, Bruno Wolff III wrote:


Besides other issues listed, the packages being installed may be privileged
programs that the admin doesn't want on the system, may start services or
schedule runs at specified times by default which might considered a
problem by the admin, the extra packages may use up too much disk space
and cause problems.


This assumes the user is different from a admin, which is not true for a
personal desktop.  This revolves back to what the default target
audience should be.  PackageKit target audience is defined at

http://www.packagekit.org/pk-profiles.html

If it doesn't match what Fedora wants, then it should be tweaked but the
larger question should be addressed first.

Rahul



Rahul, it seems to be that the person who made this change (fesco 
approved?) is the one who should answer why the change is a good thing, 
rather than "oh I changed it, now tell me why it's bad". Do you know who 
it was?


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Konstantin Ryabitsev]

2009/11/18 Simo Sorce :
>> If I have physical access to your machine, I'll own it. I may have to
>> use tools to get to the HDD, but it's only a question of time and
>> dedication.
>
> *you* are not one of my users, and this has nothing to do with *you*
> hacking in my machine. If I have physical access to a machine I do not
> even care about what's installed on it. In 99% of the cases I will just
> be able to boot from a live cd. That's a completely different issue.

Well, then we're violently agreeing about the same thing.

Anyway. It doesn't look like this is a change in Fedora policy,
because it clearly caught everyone off-guard. Looks like PK developer
made an executive decision and it's up to us to either issue an update
to revert to the previous behaviour, or to continue debating whether
allowing local console users to install trusted software from trusted
repositories is a sane security trade-off.

Regards,
-- 
McGill University IT Security
Konstantin Ryabitsev
Montréal, Québec

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Casey Dahlin]

On 11/18/2009 01:22 PM, James Antill wrote:
> 
> 3. Are there any attacks due to disk space used? Eg. If /var is low² I
> can probably install enough pkgs to make logging stop.
> 

I'm betting there's still enough systems out there without enough space in /usr 
for the entire package set.

--CJD

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Konstantin Ryabitsev]

2009/11/18 Casey Dahlin :
> On 11/18/2009 01:22 PM, James Antill wrote:
>>
>> 3. Are there any attacks due to disk space used? Eg. If /var is low² I
>> can probably install enough pkgs to make logging stop.
>>
>
> I'm betting there's still enough systems out there without enough space in 
> /usr for the entire package set.

That's kind of a silly exercise in what-ifs. The default anaconda
partition scheme is /boot, , and /. If someone wanted to fill up
the disk, they can just write to /tmp on a default install.

Regards,
-- 
McGill University IT Security
Konstantin Ryabitsev
Montréal, Québec

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Rahul Sundaram]

On 11/19/2009 12:31 AM, nodata wrote:
> 
> Rahul, it seems to be that the person who made this change (fesco
> approved?) is the one who should answer why the change is a good thing,
> rather than "oh I changed it, now tell me why it's bad". Do you know who
> it was?

I don't see why FESCo should be involved and I have no idea who made
this decision. I would have preferred the change to be announced and
documented in detail regardless of that. I assume David Zeuthen? (CC'ed)

Rahul

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Seth Vidal]

On Wed, 18 Nov 2009, Konstantin Ryabitsev wrote:


2009/11/18 Casey Dahlin :

On 11/18/2009 01:22 PM, James Antill wrote:


3. Are there any attacks due to disk space used? Eg. If /var is low² I
can probably install enough pkgs to make logging stop.



I'm betting there's still enough systems out there without enough space in /usr 
for the entire package set.


That's kind of a silly exercise in what-ifs. The default anaconda
partition scheme is /boot, , and /. If someone wanted to fill up
the disk, they can just write to /tmp on a default install.


well - except for the 5% reserved for root :)

-sv
-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Colin Walters]

On Wed, Nov 18, 2009 at 1:48 PM, Chris Adams  wrote:
>
> It seems the latest way of doing this is via PolicyKit.  IMHO all
> PolicyKit configuration should be "secure by default",

"secure" is an meaningless term without reference to a deployment
model and threat model, but let's assume here for reference that what
you mean is that the shipped RPMs should be configured to not grant
any additional privileges over that afforded to the traditional Unix
timesharing model, and then the desktop kickstart modifies them.

I would agree with that, but it's not trivial.  Are we just scoping in
PackageKit here, or also consolehelper @console actions?  Does it
imply removing the setuid bit from /bin/ping?

> Right now, I see files /usr/share/PolicyKit/policy; I guess that's where
> this kind of thing comes from.  How do I override the settings in one of
> these files?  None of them are marked "config", so I guess I don't edit
> them.  Are there other places such policy can be set?

See "man PolicyKit.conf"

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Richard Hughes]

2009/11/18 Jonathan Underwood :
> Well, it's all a bit inconsistent presently:
> $ yum install maxima
> Loaded plugins: presto, refresh-packagekit
> You need to be root to perform this command.

yum isn't PackageKit. Different tools, different feature-sets.

Richard.

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Simo Sorce]

On Wed, 2009-11-18 at 14:11 -0500, Colin Walters wrote:
> 
> I would agree with that, but it's not trivial.  Are we just scoping in
> PackageKit here, or also consolehelper @console actions?  Does it
> imply removing the setuid bit from /bin/ping?

It seem obvious we are talking only about this specific behavior of
PackageKit at the moment.

Now if it were at least *easy* to revert this behavior ...
Take a default F-12 and without much knowledge try to change it (like I
would want to do if I had kids).

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Richard Hughes]

2009/11/18 Casey Dahlin :
> By the admin's first opportunity to change the settings the box could already 
> be rooted.

I'm not sure how you can root a computer from installing signed
content by a user that already has physical access to the machine.

Richard.

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Casey Dahlin]

On 11/18/2009 02:10 PM, Seth Vidal wrote:
> 
> 
> On Wed, 18 Nov 2009, Konstantin Ryabitsev wrote:
> 
>> 2009/11/18 Casey Dahlin :
>>> On 11/18/2009 01:22 PM, James Antill wrote:

 3. Are there any attacks due to disk space used? Eg. If /var is low² I
 can probably install enough pkgs to make logging stop.

>>>
>>> I'm betting there's still enough systems out there without enough
>>> space in /usr for the entire package set.
>>
>> That's kind of a silly exercise in what-ifs. The default anaconda
>> partition scheme is /boot, , and /. If someone wanted to fill up
>> the disk, they can just write to /tmp on a default install.
> 
> well - except for the 5% reserved for root :)
> 
> -sv
> 

Which isn't safe from this since ultimately its root doing the install on the 
unprivileged user's behalf.

--CJD

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Seth Vidal]

On Wed, 18 Nov 2009, Casey Dahlin wrote:


On 11/18/2009 02:10 PM, Seth Vidal wrote:



On Wed, 18 Nov 2009, Konstantin Ryabitsev wrote:


2009/11/18 Casey Dahlin :

On 11/18/2009 01:22 PM, James Antill wrote:


3. Are there any attacks due to disk space used? Eg. If /var is low² I
can probably install enough pkgs to make logging stop.



I'm betting there's still enough systems out there without enough
space in /usr for the entire package set.


That's kind of a silly exercise in what-ifs. The default anaconda
partition scheme is /boot, , and /. If someone wanted to fill up
the disk, they can just write to /tmp on a default install.


well - except for the 5% reserved for root :)

-sv



Which isn't safe from this since ultimately its root doing the install on the 
unprivileged user's behalf.


which is why I said the user filling up /tmp couldn't fill up the whole 
disk..


-sv
-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Andrew Haley]

Seth Vidal wrote:
> 
> On Wed, 18 Nov 2009, nodata wrote:
> 
> -sv
>
 I do if it's in the default DVD install, or was pulled in in an
 upgrade. I've never intentionally installed it, and yes I do. Never
 imagined it would be a problem. I'll remove it.

>>> Maybe you and I have a different concept of 'Servers'. But I tend to
>>> install @core only and then remove items whenever I can for a server.
>>>
>>> If it is a bad day I'll install X b/c something requires it but for
>>> servers I try to avoid anything beside the barest minimal I can have.
>>>
>> Maybe you have a different concept of security, but I don't want any user on 
>> the server installing software, no matter what.
> 
> right - which is why I wouldn't install PK on a server.
> 
> yum doesn't allow users to install pkgs, only root.

$ sudo rpm -e PackageKit
error: Failed dependencies:
...
PackageKit is needed by (installed) setroubleshoot-2.2.42-1.fc12.x86_64

Ouch.  I like setroubleshoot.

Is there some way to disable PackageKit but keep setroubleshoot?

Andrew.

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Richard Hughes]

2009/11/18 Andrew Haley :
> Is there some way to disable PackageKit but keep setroubleshoot?

Just set all the policykit answers to "no". You'll find more than just
setroubleshoot breaks if you do this.

Richard.

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Bob Arendt]

On 11/18/09 12:03, Konstantin Ryabitsev wrote:

2009/11/18 Simo Sorce:

If I have physical access to your machine, I'll own it. I may have to
use tools to get to the HDD, but it's only a question of time and
dedication.


*you* are not one of my users, and this has nothing to do with *you*
hacking in my machine. If I have physical access to a machine I do not
even care about what's installed on it. In 99% of the cases I will just
be able to boot from a live cd. That's a completely different issue.


Well, then we're violently agreeing about the same thing.

Anyway. It doesn't look like this is a change in Fedora policy,
because it clearly caught everyone off-guard. Looks like PK developer
made an executive decision and it's up to us to either issue an update
to revert to the previous behaviour, or to continue debating whether
allowing local console users to install trusted software from trusted
repositories is a sane security trade-off.


I haven't tried .. but does this this also include the capability for
my grade-school child to *remove* software using their account?
Like gcc?  glibc?  gdm?  All fun activities ...

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[nodata]

Am 2009-11-18 20:20, schrieb Richard Hughes:

2009/11/18 Casey Dahlin:

By the admin's first opportunity to change the settings the box could already 
be rooted.


I'm not sure how you can root a computer from installing signed
content by a user that already has physical access to the machine.


You install software with a known buffer overflow before it is fixed and 
exploit it. More software = more chances to exploit. Bingo!


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Richard Hughes]

2009/11/18 Bob Arendt :
> I haven't tried .. but does this this also include the capability for
> my grade-school child to *remove* software using their account?
> Like gcc?  glibc?  gdm?  All fun activities ...

No, removing is a different "role" and requires a different
authentication. The default is to ask the root password for the
machine.

Richard.

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Konstantin Ryabitsev]

2009/11/18 Bob Arendt :
>> Anyway. It doesn't look like this is a change in Fedora policy,
>> because it clearly caught everyone off-guard. Looks like PK developer
>> made an executive decision and it's up to us to either issue an update
>> to revert to the previous behaviour, or to continue debating whether
>> allowing local console users to install trusted software from trusted
>> repositories is a sane security trade-off.
>
> I haven't tried .. but does this this also include the capability for
> my grade-school child to *remove* software using their account?
> Like gcc?  glibc?  gdm?  All fun activities ..

[r...@smaug ~]# pkaction --action-id
org.freedesktop.packagekit.package-remove --verbose
org.freedesktop.packagekit.package-remove:
  description:   Remove package
  message:   Authentication is required to remove packages
  vendor:The PackageKit Project
  vendor_url:http://www.packagekit.org/
  icon:  package-x-generic
  implicit any:  no
  implicit inactive: no
  implicit active:   auth_admin_keep

So, not without a root password.

Regards,
-- 
McGill University IT Security
Konstantin Ryabitsev
Montréal, Québec

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Seth Vidal]

On Wed, 18 Nov 2009, Richard Hughes wrote:


2009/11/18 Andrew Haley :

Is there some way to disable PackageKit but keep setroubleshoot?


Just set all the policykit answers to "no". You'll find more than just
setroubleshoot breaks if you do this.


How do you do this? Set the policykit answers to no?

-sv

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Richard Hughes]

2009/11/18 nodata :
> You install software with a known buffer overflow before it is fixed and
> exploit it. More software = more chances to exploit. Bingo!

Why would the additional package start extra services? I thought there
were guidelines about that. Anyway, if the user has physical access to
the machine, there are many quicker ways to root the box in question.
(Like rebooting, and using grub to go to runlevel 1)

Richard.

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Casey Dahlin]

On 11/18/2009 01:30 PM, Robert Locke wrote:
> 
> Picture Windows Server for a moment.  Now picture that admin coming over
> to administer a new Linux server. What's he gonna install? Click 
> repeatedly.
> 

I'd like to think that our policy toward that user is one of education rather 
than accomodation.

--CJD

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Konstantin Ryabitsev]

2009/11/18 nodata :
> Am 2009-11-18 20:20, schrieb Richard Hughes:
>>
>> 2009/11/18 Casey Dahlin:
>>>
>>> By the admin's first opportunity to change the settings the box could
>>> already be rooted.
>>
>> I'm not sure how you can root a computer from installing signed
>> content by a user that already has physical access to the machine.
>
> You install software with a known buffer overflow before it is fixed and
> exploit it. More software = more chances to exploit. Bingo!

If a user logged in from a physical local console wanted to exploit
their machine, this would be the hard way to do it.

Regards,
-- 
McGill University IT Security
Konstantin Ryabitsev
Montréal, Québec

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Chris Adams]

Once upon a time, Colin Walters  said:
> On Wed, Nov 18, 2009 at 1:48 PM, Chris Adams  wrote:
> > It seems the latest way of doing this is via PolicyKit.  IMHO all
> > PolicyKit configuration should be "secure by default",
> 
> "secure" is an meaningless term without reference to a deployment
> model and threat model, but let's assume here for reference that what
> you mean is that the shipped RPMs should be configured to not grant
> any additional privileges over that afforded to the traditional Unix
> timesharing model, and then the desktop kickstart modifies them.

Yes, that was what I meant.

> I would agree with that, but it's not trivial.  Are we just scoping in
> PackageKit here, or also consolehelper @console actions?  Does it
> imply removing the setuid bit from /bin/ping?

In an ideal world, everything that could grant elevated privilege would
come without it, and the admin (or spin config files) could easily
configure it back.

That obviously fails for things like /bin/ping, since that uses file
permissions, and that's part of the RPM (and not configurable).
However, ping has traditionally been run-able as a non-root user, and it
is easily spotted with find.  The number of setuid programs is small
these days, but several of them are now "helpers" that allow a
wide-range of other programs access, again with minimal documentation
(what is pulse/proximity-helper? why is nspluginwrapper/plugin-config
setuid root?)

I think anything that uses PolicyKit should ship with no elevated
privileges by default, since it is configurable.

It would be nice to also get consolehelper, but that is more
complicated.  I thought that was on the way out (to be replaced by
PolicyKit), but I see there are still a number of things that use it
(looking at the F11 desktop I'm on right now).

NetworkManager is another thing that probably could use some admin
control in some places, especially as it is being pushed to replace the
old network scripts.  Does NM use PolicyKit or consolehelper, or does it
just do things itself?

> > Right now, I see files /usr/share/PolicyKit/policy; I guess that's where
> > this kind of thing comes from.  How do I override the settings in one of
> > these files?  None of them are marked "config", so I guess I don't edit
> > them.  Are there other places such policy can be set?
> 
> See "man PolicyKit.conf"

The bigger issue is that much of the policy is not well documented,
except in the XML files (which are pretty terse).
-- 
Chris Adams 
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Casey Dahlin]

On 11/18/2009 01:19 PM, Konstantin Ryabitsev wrote:
> 
> I may be wrong, but I understand that this behaviour of PackageKit
> only applies to users with direct console access (i.e. not remote
> shells). So, only users that are logged in via GDM or TTY would be
> able to perform such tasks.
> 

That's a silly thing to imply we can control. Just because firefox is running 
on a local console doesn't mean that a vulnerability therein has not allowed it 
to be ultimately controlled from elsewhere.

--CJD

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[nodata]

Am 2009-11-18 20:30, schrieb Konstantin Ryabitsev:

2009/11/18 nodata:

Am 2009-11-18 20:20, schrieb Richard Hughes:


2009/11/18 Casey Dahlin:


By the admin's first opportunity to change the settings the box could
already be rooted.


I'm not sure how you can root a computer from installing signed
content by a user that already has physical access to the machine.


You install software with a known buffer overflow before it is fixed and
exploit it. More software = more chances to exploit. Bingo!


If a user logged in from a physical local console wanted to exploit
their machine, this would be the hard way to do it.


If the servers are in locked racks and you require a reboot to get 
access to a grub prompt which is not password protected, then the outage 
would trip the monitoring system.


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Matthew Garrett]

On Wed, Nov 18, 2009 at 07:42:51PM +0100, nodata wrote:

> Err no. Admins trusts software he has chosen to install from the repo. I  
> definitely don't want a user configuring an ftp server or running  
> anything with a cronjob on a server I look after.

Why do users have local access to your server? Remote access won't grant 
you the appropriate authentication for this.

-- 
Matthew Garrett | mj...@srcf.ucam.org

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Casey Dahlin]

On 11/18/2009 02:32 PM, Casey Dahlin wrote:
> On 11/18/2009 01:19 PM, Konstantin Ryabitsev wrote:
>>
>> I may be wrong, but I understand that this behaviour of PackageKit
>> only applies to users with direct console access (i.e. not remote
>> shells). So, only users that are logged in via GDM or TTY would be
>> able to perform such tasks.
>>
> 
> That's a silly thing to imply we can control. Just because firefox is running 
> on a local console doesn't mean that a vulnerability therein has not allowed 
> it to be ultimately controlled from elsewhere.
> 
> --CJD
> 

Addendum: Why do you think sudo would ask an already-logged-in user for his 
password?

--CJD

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Casey Dahlin]

On 11/18/2009 02:29 PM, Richard Hughes wrote:
> 2009/11/18 nodata :
>> You install software with a known buffer overflow before it is fixed and
>> exploit it. More software = more chances to exploit. Bingo!
> 
> Why would the additional package start extra services? I thought there
> were guidelines about that. Anyway, if the user has physical access to
> the machine, there are many quicker ways to root the box in question.
> (Like rebooting, and using grub to go to runlevel 1)
> 
> Richard.
> 

What if they don't? The mechanisms by which we are detecting and proving 
physical access are easily circumvented. If the buffer overflow allows 
arbitrary code execution, you need only an "open(/dev/console, ...)" to fool a 
lot of these mechanisms. Just because a program is interactive on a console 
does not mean that that's the /only/ place its being controlled from.

--CJD

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[nodata]

Am 2009-11-18 20:35, schrieb Matthew Garrett:

On Wed, Nov 18, 2009 at 07:42:51PM +0100, nodata wrote:


Err no. Admins trusts software he has chosen to install from the repo. I
definitely don't want a user configuring an ftp server or running
anything with a cronjob on a server I look after.


Why do users have local access to your server? Remote access won't grant
you the appropriate authentication for this.


The real question, the point of all of this discussion, is a key piece 
of knowledge about how Linux works (root decides system wide) is now 
changed. The person who wants to make that change must justify it, now 
the other way round.


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Dan Williams]

On Wed, 2009-11-18 at 13:31 -0600, Chris Adams wrote:
> Once upon a time, Colin Walters  said:
> > On Wed, Nov 18, 2009 at 1:48 PM, Chris Adams  wrote:
> > > It seems the latest way of doing this is via PolicyKit. Â IMHO all
> > > PolicyKit configuration should be "secure by default",
> > 
> > "secure" is an meaningless term without reference to a deployment
> > model and threat model, but let's assume here for reference that what
> > you mean is that the shipped RPMs should be configured to not grant
> > any additional privileges over that afforded to the traditional Unix
> > timesharing model, and then the desktop kickstart modifies them.
> 
> Yes, that was what I meant.
> 
> > I would agree with that, but it's not trivial.  Are we just scoping in
> > PackageKit here, or also consolehelper @console actions?  Does it
> > imply removing the setuid bit from /bin/ping?
> 
> In an ideal world, everything that could grant elevated privilege would
> come without it, and the admin (or spin config files) could easily
> configure it back.
> 
> That obviously fails for things like /bin/ping, since that uses file
> permissions, and that's part of the RPM (and not configurable).
> However, ping has traditionally been run-able as a non-root user, and it
> is easily spotted with find.  The number of setuid programs is small
> these days, but several of them are now "helpers" that allow a
> wide-range of other programs access, again with minimal documentation
> (what is pulse/proximity-helper? why is nspluginwrapper/plugin-config
> setuid root?)
> 
> I think anything that uses PolicyKit should ship with no elevated
> privileges by default, since it is configurable.
> 
> It would be nice to also get consolehelper, but that is more
> complicated.  I thought that was on the way out (to be replaced by
> PolicyKit), but I see there are still a number of things that use it
> (looking at the F11 desktop I'm on right now).
> 
> NetworkManager is another thing that probably could use some admin
> control in some places, especially as it is being pushed to replace the
> old network scripts.  Does NM use PolicyKit or consolehelper, or does it
> just do things itself?

It uses PolicyKit.  We have a bit of work to do before we have
fine-grained lockdown, but it's not that far off.  F13 perhaps?  It's
basically a case of defining the permissions (there are already a few
for things like disallowing modification of system connections,
disabling the "create new network" functionality, etc) and then making
sure NM checks them, and *also* making sure the UI provides appropriate
feedback when something is not allowed at all, as opposed to "allowed if
you authenticate first".

Dan

> > > Right now, I see files /usr/share/PolicyKit/policy; I guess that's where
> > > this kind of thing comes from. Â How do I override the settings in one of
> > > these files? Â None of them are marked "config", so I guess I don't edit
> > > them. Â Are there other places such policy can be set?
> > 
> > See "man PolicyKit.conf"
> 
> The bigger issue is that much of the policy is not well documented,
> except in the XML files (which are pretty terse).
> -- 
> Chris Adams 
> Systems and Network Administrator - HiWAAY Internet Services
> I don't speak for anybody but myself - that's enough trouble.
> 

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Simo Sorce]

On Wed, 2009-11-18 at 12:26 -0700, Bob Arendt wrote:
> 
> I haven't tried .. but does this this also include the capability for
> my grade-school child to *remove* software using their account?
> Like gcc?  glibc?  gdm?  All fun activities ...

No thank- at least remove seem not to be permitted by default.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Konstantin Ryabitsev]

2009/11/18 Casey Dahlin :
>>> I may be wrong, but I understand that this behaviour of PackageKit
>>> only applies to users with direct console access (i.e. not remote
>>> shells). So, only users that are logged in via GDM or TTY would be
>>> able to perform such tasks.
>>>
>>
>> That's a silly thing to imply we can control. Just because firefox is 
>> running on a local console doesn't mean that a vulnerability therein has not 
>> allowed it to be ultimately controlled from elsewhere.

Okay, so someone managed to get local shell via firefox. How does
installing trusted packages further their nefarious purposes?

> Addendum: Why do you think sudo would ask an already-logged-in user for his 
> password?

Because sudo doesn't use policykit? Because sudo gives you full root
access -- not just ability to install trusted software from trusted
repositories? Moreover, even sudo doesn't ask me again if I invoke it
within 5 minutes of using it (or however long it is).

Regards,
-- 
McGill University IT Security
Konstantin Ryabitsev
Montréal, Québec

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Dan Williams]

On Wed, 2009-11-18 at 14:29 -0500, Seth Vidal wrote:
> 
> On Wed, 18 Nov 2009, Richard Hughes wrote:
> 
> > 2009/11/18 Andrew Haley :
> >> Is there some way to disable PackageKit but keep setroubleshoot?
> >
> > Just set all the policykit answers to "no". You'll find more than just
> > setroubleshoot breaks if you do this.
> 
> How do you do this? Set the policykit answers to no?

The atom-bomb approach is to change everything
in /usr/share/polkit-1/actions/ to no and
no.

But that's not right because those files aren't config files.  Instead,
you drop "local authority" files in /var/lib/polkit-1/localauthority/
that override those permissions on a site-by-site basis for your
specific use-case, irregardless of what the defaults are.

Dan


-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Bruno Wolff III]

On Wed, Nov 18, 2009 at 19:20:42 +,
  Richard Hughes  wrote:
> 2009/11/18 Casey Dahlin :
> > By the admin's first opportunity to change the settings the box could 
> > already be rooted.
> 
> I'm not sure how you can root a computer from installing signed
> content by a user that already has physical access to the machine.

The person may not intentionally be attacking the machine, they may just
install something that is vulnerable without the approval of the administrator.

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Jesse Keating]

On Wed, 2009-11-18 at 20:34 +0100, nodata wrote:
> If the servers are in locked racks and you require a reboot to get 
> access to a grub prompt which is not password protected, then the outage 
> would trip the monitoring system.
> 

The server is in a locked rack, but the console access to the server
isn't?  How far down the strawman path are where?

-- 
Jesse Keating
Fedora -- Freedom² is a feature!
identi.ca: http://identi.ca/jkeating


signature.asc
Description: This is a digitally signed message part
-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Casey Dahlin]

On 11/18/2009 02:44 PM, Konstantin Ryabitsev wrote:
> 2009/11/18 Casey Dahlin :
 I may be wrong, but I understand that this behaviour of PackageKit
 only applies to users with direct console access (i.e. not remote
 shells). So, only users that are logged in via GDM or TTY would be
 able to perform such tasks.

>>>
>>> That's a silly thing to imply we can control. Just because firefox is 
>>> running on a local console doesn't mean that a vulnerability therein has 
>>> not allowed it to be ultimately controlled from elsewhere.
> 
> Okay, so someone managed to get local shell via firefox. How does
> installing trusted packages further their nefarious purposes?
> 
>> Addendum: Why do you think sudo would ask an already-logged-in user for his 
>> password?
> 
> Because sudo doesn't use policykit? Because sudo gives you full root
> access -- not just ability to install trusted software from trusted
> repositories? Moreover, even sudo doesn't ask me again if I invoke it
> within 5 minutes of using it (or however long it is).
> 
> Regards,

But why is it neccesary? That was more my point.

The answer is: because being associated with a login on the local console 
doesn't verify that it is a /user/ in control.

--CJD

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Bruno Wolff III]

On Wed, Nov 18, 2009 at 13:31:49 -0600,
  Chris Adams  wrote:
> (what is pulse/proximity-helper? why is nspluginwrapper/plugin-config
> setuid root?)

I already filed a bug (491543) about that. It does bad things, but the
maintainer doesn't seem to want to change it.

Firefox reenables disabled plugins. So you pretty much have to uninstall
any that you don't want it to use.

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[Jeff Spaleta]

On Wed, Nov 18, 2009 at 10:45 AM, Dan Williams  wrote:
> But that's not right because those files aren't config files.  Instead,
> you drop "local authority" files in /var/lib/polkit-1/localauthority/
> that override those permissions on a site-by-site basis for your
> specific use-case, irregardless of what the defaults are.

Beyond the issue of what is and what is not the appropriate default at
install time..which is already a difficult issue to talk through.  I
think there is an education gap here about how to competently admin
PolicyKit based activities which adds frustration.

-jef"old dogs...new tricks"spaleta

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Local users get to play root?

[David Zeuthen]

On Thu, 2009-11-19 at 00:34 +0530, Rahul Sundaram wrote:
> On 11/19/2009 12:31 AM, nodata wrote:
> > 
> > Rahul, it seems to be that the person who made this change (fesco
> > approved?) is the one who should answer why the change is a good thing,
> > rather than "oh I changed it, now tell me why it's bad". Do you know who
> > it was?
> 
> I don't see why FESCo should be involved and I have no idea who made
> this decision. I would have preferred the change to be announced and
> documented in detail regardless of that. I assume David Zeuthen? (CC'ed)

Jeez, Rahul. This has nothing to do with polkit per se, only PackageKit
and how it decides to use polkit. I've commented that much in the bug.
And as noted in the bug I don't even agree there's a problem. But I
leave that to Richard and others to sort out.

Btw, please don't add me to the Cc again like this or reply to this -
I'm not interested in this bike-shed or what color it is. Thanks.

 David


-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list