Comments on: Fedora 12 default package install policy

By: Jeffrey Stedfast

Jeffrey Stedfast — Fri, 20 Nov 2009 12:42:45 +0000

Julian: Well, if you install the Desktop Spin on multiuser systems, there’s a lot of other things you’d also have to lock down. Again, the packagekit thing would be the least of your worries.

By: Julian Aloofi

Julian Aloofi — Fri, 20 Nov 2009 12:30:03 +0000

Jeffrey: Well, I’d install the desktop spin on a multiuser system with a GUI, because there is no Workstation Spin
I have not checked the behaviour when installed from the install DVD, but I guess it’s just the same.

By: Jeffrey Stedfast

Jeffrey Stedfast — Thu, 19 Nov 2009 22:19:04 +0000

Julian: you totally misunderstand the situation. This change was ONLY made for the Desktop Spin which is not meant for multi-user systems or systems where there would be a SysAdmin (if there is a SysAdmin, then you should be using the Workstation Spin, not the Desktop Spin).

By: Jeffrey Stedfast

Jeffrey Stedfast — Thu, 19 Nov 2009 22:16:37 +0000

Ante: If some hacker roots the RH servers and users install the compromised packages, then the package install policy is irrelevant.

Secondly, as far as bugs in software, yes, they do happen all of the time – but how often can these bugs cause privilege escalation? That can only happen if the software is setuid or setguid and there are very few of those (most of which are probably already installed as part of the base system anyway).

Thirdly, this policy change was ONLY done for the Desktop spin (not the workstation spin, not the server spin, etc) and ONLY for local users (i.e. they have physical access to the machine). Remotely logged-in users are not allowed to install software w/o a password.

Once a user has physical access to the machine, this policy is a minimal threat compared to the user’s ability to boot off a floppy/cd (which would give him easy root privs) or a whole slew of other attack vectors that are far easier to take advantage of.

To reiterate, the Desktop Spin is not meant for use on public access machines (such as you might find at the office or at the library or a computer lab, etc), it is meant for home PCs. Home PC users do not lock down their systems from local access because it is pointless.

By: Julian Aloofi

Julian Aloofi — Thu, 19 Nov 2009 22:12:50 +0000

Modern system or not, this is absolutely not acceptable to be enabled by default.
It’s not that I don’t trust Fedora as a package source. I absolutely do. And this problem is not at all about package sources. Imagine you have a multi-user system.
Everyone can install software? Not a good idea!
Imagine you set up a system as administrator. Any user can install software? Not a good idea!
It’s not about Malware. Software can have bugs, software can change the way your system works, and not all people have unlimited disk space (although that is not a problem these days).
This just changes the way a Linux system worked ever since (don’t know about UNIX in general).
I see, users have to be logged in at a local console. But you never want users to install software, unless you explicitely gave them permission to do so. Even Windows got this now.
And if it really is intended to help new users, why do you still have to enter your password in the packagekit GUI app? How likely is it that new users will use the terminal application? The arguments given by the PolicyKit maintainer don’t make sense.

By: Ante

Ante — Thu, 19 Nov 2009 21:40:58 +0000

You missed the part ‘bug in thousands of signed packages’. You don’t need compromised signing key (and compromised keys already happened to RedHat, and Debian/Ubuntu had repetitive ssh keys). You need one bug. Bugs happen all the time.

By: sharms

sharms — Thu, 19 Nov 2009 21:19:58 +0000

If the master package key is compromised, then your whole system needs to be rechecked, this is totally mutually exclusive and does not make the problem worse or better.

By: Ante

Ante — Thu, 19 Nov 2009 20:59:52 +0000

Er… It’s not that you don’t trust, but bad things do happen. For example, not so long ago, RH servers were hacked and ssh packages were compromized. Now imagine someone does that with packageXY – and then gets users to install that package. Lots of bots, right?

Another thing to watch out for. Bugs do happen. Image packageAB has a bug that enables privilege escalation. As sysadmin, you can opt to deinstall or not install that package at all. But you can’t do anything if user installs that package. He can then use that bug and get her self root access to machine.

If it’s such a good idea, why do they add big red warning in release notes? http://docs.fedoraproject.org/release-notes/f12/en-US/html/sect-Release_Notes-Security.html

By: nxvl

nxvl — Thu, 19 Nov 2009 17:16:15 +0000

Well, actually is not a thing of trust to the archive or not the problem is this: https://bugzilla.redhat.com/show_bug.cgi?id=534047#c65
and that malware will be able to basically “install everything” which will take over your hard drive without you knowing about it