FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 11-18-2009, 10:12 PM
Richard Hughes
 
Default Local users get to play root?

2009/11/18 Eric Christensen <eric@christensenplace.us>:
> Has anyone drafted a notice to go out on the Announce List explaining
> this vulnerability? *If admins don't know to fix/remove PK then they are
> putting their systems at risk.

I'm really bored of this conversation. The bikeshed is blue. There are
much bigger problems in UNIX security than installing signed packages.
We don't set a grub password by default.

Richard.

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 11-18-2009, 10:19 PM
Jeff Garzik
 
Default Local users get to play root?

On 11/18/2009 06:12 PM, Richard Hughes wrote:

2009/11/18 Eric Christensen<eric@christensenplace.us>:

Has anyone drafted a notice to go out on the Announce List explaining
this vulnerability? If admins don't know to fix/remove PK then they are
putting their systems at risk.


I'm really bored of this conversation. The bikeshed is blue. There are
much bigger problems in UNIX security than installing signed packages.
We don't set a grub password by default.


Signed does not mean bug-free.

Further, observe the broken logic:

"Because local users might be able to break into the system with effort,
it is pointless to have any safeguards at all."


[firefox|pidgin] exploit + PackageKit == trivial remote exploit.

Jeff



--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 11-18-2009, 10:20 PM
Seth Vidal
 
Default Local users get to play root?

On Wed, 18 Nov 2009, Richard Hughes wrote:


2009/11/18 Eric Christensen <eric@christensenplace.us>:

Has anyone drafted a notice to go out on the Announce List explaining
this vulnerability? *If admins don't know to fix/remove PK then they are
putting their systems at risk.


I'm really bored of this conversation. The bikeshed is blue. There are
much bigger problems in UNIX security than installing signed packages.
We don't set a grub password by default.



I think this is less subjective than bikeshed colors.

I think fesco is going to need to talk about this on friday.

-sv
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 11-18-2009, 10:55 PM
Simo Sorce
 
Default Local users get to play root?

On Wed, 2009-11-18 at 22:38 +0000, Richard Hughes wrote:
> 2009/11/18 Jeff Garzik <jgarzik@pobox.com>:
> > And this enormous security hole of a policy change was done with next to
> > /zero/ communication, making it likely that many admins will not even know
> > they are vulnerable until their kids install a bunch of unwanted packages.
>
> F11 had retained authorisations, which arguably were more of a
> security weakness. If rawhide had been signed during the F12 cycle
> everybody would have seen this change much earlier.
>
> If you're deploying F12, then I really think you should know the
> basics about PolicyKit.

Richard,
let's reverse it then.

If it is so simple and if all our users should know about PolicyKit,
then it should be no problem delivering a more secure policy by default,
and let people change the policy to less secure if they want.

Deal ?

Simo.

--
Simo Sorce * Red Hat, Inc * New York

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 11-18-2009, 11:23 PM
Bill Nottingham
 
Default Local users get to play root?

Jeff Garzik (jgarzik@pobox.com) said:
> Sorry, but this default (desktop users can install pkgs without
> root) is just stupid. It is antithetical to all standard security
> models that have come before in Fedora and other Linux
> distributions.

Out of the box, a desktop user has the ability to shut down the machine.
This gives them the ability, out of the box, to:
- DoS everyone on it
- get a root shell
-- install whatever they want
-- put viruses on
- hell, slap in a livecd or USB key and reinstall the box

It's a behavior change, for sure. For people who want to lock down their
systems, it's a default they will need to be able to change, and they
should have been able to discover it through the normal mechanisms for
that. (i.e., the release notes.). It likely should have been discussed
when it was introduced - it's obviously not something that's applicable
to all usage cases for the OS.

But really, given that users out of the box can do *far far worse*, I'm
not seeing the 'shameful', 'antithetical', OMG THE SKY IS FALLING AND
YOU ALL SHOULD BE DRAWN AND QUARTERED sort of angst. Maybe people are
tired of bagging tea and want new things to be outraged about.

Bill

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 11-18-2009, 11:28 PM
Jeff Spaleta
 
Default Local users get to play root?

On Wed, Nov 18, 2009 at 3:23 PM, Bill Nottingham <notting@redhat.com> wrote:
> But really, given that users out of the box can do *far far worse*, I'm
> not seeing the 'shameful', 'antithetical', OMG THE SKY IS FALLING AND
> YOU ALL SHOULD BE DRAWN AND QUARTERED sort of angst. Maybe people are
> tired of bagging tea and want new things to be outraged about.

I know I'm tired of bagging tea. Luckily for me there's a new bubble
tea shop in town with free wifi. I can enjoy bagless tea all day long
and still get work done.

-jef"needs a bubble tea protest t-shirt"spaleta

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 11-18-2009, 11:34 PM
Jeff Garzik
 
Default Local users get to play root?

On 11/18/2009 07:23 PM, Bill Nottingham wrote:

Jeff Garzik (jgarzik@pobox.com) said:

Sorry, but this default (desktop users can install pkgs without
root) is just stupid. It is antithetical to all standard security
models that have come before in Fedora and other Linux
distributions.


Out of the box, a desktop user has the ability to shut down the machine.
This gives them the ability, out of the box, to:
- DoS everyone on it
- get a root shell
-- install whatever they want
-- put viruses on
- hell, slap in a livecd or USB key and reinstall the box


How is any of that justification for lowering the security bar to zero?

All of those you list are more technically complex than the current F12
behavior -- letting the kids or guests click a button.


IFF this feature was listed as a question in firstboot, and
IFF this feature was explained in detail in release notes, then there
would have been no problem at all...


You also omitted the case where admins of servers upgrade into a less
secure policy. PackageKit presence does not imply desktop user.


Jeff


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 11-18-2009, 11:35 PM
Eric Christensen
 
Default Local users get to play root?

On Wed, 2009-11-18 at 19:23 -0500, Bill Nottingham wrote:
> Jeff Garzik (jgarzik@pobox.com) said:
> > Sorry, but this default (desktop users can install pkgs without
> > root) is just stupid. It is antithetical to all standard security
> > models that have come before in Fedora and other Linux
> > distributions.
>
> Out of the box, a desktop user has the ability to shut down the machine.
> This gives them the ability, out of the box, to:
> - DoS everyone on it
> - get a root shell
> -- install whatever they want
> -- put viruses on
> - hell, slap in a livecd or USB key and reinstall the box
>
> It's a behavior change, for sure. For people who want to lock down their
> systems, it's a default they will need to be able to change, and they
> should have been able to discover it through the normal mechanisms for
> that. (i.e., the release notes.). It likely should have been discussed
> when it was introduced - it's obviously not something that's applicable
> to all usage cases for the OS.
>
> But really, given that users out of the box can do *far far worse*, I'm
> not seeing the 'shameful', 'antithetical', OMG THE SKY IS FALLING AND
> YOU ALL SHOULD BE DRAWN AND QUARTERED sort of angst. Maybe people are
> tired of bagging tea and want new things to be outraged about.
>
> Bill
>

Bill,
You are assuming that the users have physical access to the box and also
know how to get a root shell and that the box hasn't been hardened
(before the PK vulnerability was known).

PackageKit is something right there on the desktop that, to its credit,
needs little knowledge to use whereas many of your attack vectors noted
above are generally fixed in my shop by use of a kickstart and securing
the box from physical access and require a higher skill to perform.

I'm not saying this new "functionality" in PK is necessarily bad but it
should have been easily ENABLED (not by default) by an admin with root
privileges.

Of course, in my thought process, now, PK should probably not be
installed on systems where users shouldn't have unrestricted access to
the repo.

--Eric
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 11-18-2009, 11:36 PM
Jeff Garzik
 
Default Local users get to play root?

On 11/18/2009 07:34 PM, Jeff Garzik wrote:

On 11/18/2009 07:23 PM, Bill Nottingham wrote:

Jeff Garzik (jgarzik@pobox.com) said:

Sorry, but this default (desktop users can install pkgs without
root) is just stupid. It is antithetical to all standard security
models that have come before in Fedora and other Linux
distributions.


Out of the box, a desktop user has the ability to shut down the machine.
This gives them the ability, out of the box, to:
- DoS everyone on it
- get a root shell
-- install whatever they want
-- put viruses on
- hell, slap in a livecd or USB key and reinstall the box


How is any of that justification for lowering the security bar to zero?

All of those you list are more technically complex than the current F12
behavior -- letting the kids or guests click a button.


And it ignores that remote exploits are now much easier, because remote
non-root exploit + package install == remote root exploit.


Jeff



--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 11-18-2009, 11:37 PM
Colin Walters
 
Default Local users get to play root?

On Wed, Nov 18, 2009 at 7:36 PM, Jeff Garzik <jgarzik@pobox.com> wrote:

> And it ignores that remote exploits are now much easier, because remote
> non-root exploit + package install == remote root exploit.

No, the uid needs to have logged in through a physical console.

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 

Thread Tools




All times are GMT. The time now is 07:38 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org