Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora Development (http://www.linux-archive.org/fedora-development/)
-   -   Draft privilege escalation policy for comments (http://www.linux-archive.org/fedora-development/317221-draft-privilege-escalation-policy-comments.html)

Adam Williamson 01-29-2010 09:27 PM

Draft privilege escalation policy for comments
 
Hi, everyone. Since the big PackageKit brouhaha surrounding Fedora 12,
there's been a discussion surrounding the need for a policy about
privilege escalation in Fedora. Representing the QA group, we would like
for there to be such a policy in order to allow a meaningful review of
privilege escalation issues as part of QA's testing of Fedora releases.

I took this concern to FESco, who basically said they would be willing
to consider any policy that's brought to them, but won't initiate the
creation of one. I have asked the security list (which seems mostly
dormant), some security folks individually, and it's been discussed on
this list, but none of those seem to have been interested in actually
creating a policy. So in the end, QA decided we would propose a draft.
We realize this is entirely out of our area of expertise, but there
appeared to be no alternative. So, here's a draft policy for review.
This has been through three rounds of drafts within the QA group, and
includes content based on very useful feedback from members of Red Hat's
security team, particularly Miloslav Trmac. Thanks to him and to all
others who contributed to the QA group discussion.

Please do provide any and all feedback on the proposed policy. if we can
get it into a shape which most people on the list would find acceptable,
my next step will be to take it back to FESco for them to review.
Thanks.

You can find the draft policy at
https://fedoraproject.org/wiki/User:Adamwill/Draft_Fedora_privilege_escalation_policy
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Colin Walters 01-29-2010 10:40 PM

Draft privilege escalation policy for comments
 
Hi Adam,

On Fri, Jan 29, 2010 at 5:27 PM, Adam Williamson <awilliam@redhat.com> wrote:
> Hi, everyone. Since the big PackageKit brouhaha surrounding Fedora 12,
> there's been a discussion surrounding the need for a policy about
> privilege escalation in Fedora. Representing the QA group, we would like
> for there to be such a policy in order to allow a meaningful review of
> privilege escalation issues as part of QA's testing of Fedora releases.

Agree it makes sense for there to be a policy, thanks for looking at this!

> Please do provide any and all feedback on the proposed policy. if we can
> get it into a shape which most people on the list would find acceptable,
> my next step will be to take it back to FESco for them to review.
> Thanks.

So a general theme that seems to run through the policy of "don't
affect other users", and some things have exceptions (shutdown and
reboot), but others don't (change the system time, adding new
software). Is there a rationale for that?
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Adam Williamson 01-30-2010 05:20 AM

Draft privilege escalation policy for comments
 
On Fri, 2010-01-29 at 18:40 -0500, Colin Walters wrote:

> > Please do provide any and all feedback on the proposed policy. if we can
> > get it into a shape which most people on the list would find acceptable,
> > my next step will be to take it back to FESco for them to review.
> > Thanks.
>
> So a general theme that seems to run through the policy of "don't
> affect other users", and some things have exceptions (shutdown and
> reboot), but others don't (change the system time, adding new
> software). Is there a rationale for that?

Well, reboot is a one-time operation; if there's only one user logged
in, they can only affect themselves by rebooting. Adjusting the clock or
installing new software isn't the same.
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Kevin Kofler 01-30-2010 06:33 AM

Draft privilege escalation policy for comments
 
Adam Williamson wrote:
> Please do provide any and all feedback on the proposed policy. if we can
> get it into a shape which most people on the list would find acceptable,
> my next step will be to take it back to FESco for them to review.
> Thanks.

>From the proposal:

> Add, remove, upgrade or downgrade any system-wide application or shared
> resource (packaged or otherwise)

The current PackageKit policy in F12 updates still allows upgrading (as
opposed to installing or removing, not sure about downgrading, does
PackageKit even support that?) packages without root authentication. Is this
intended to be changed as part of the proposal or should the proposal be
fixed instead (just remove "upgrade" from the sentence)?

> New and changed privilege escalation mechanisms

Is the bureaucracy in this section really necessary? AFAICT what was missing
when the F12 PackageKit change was made was the informative part of the
proposal, the maintainer just didn't know what he should be allowing and
what not. I don't think the enforcement part is really needed, maintainers
should be able to get it right on their own given the detailed list of evil
things to avoid which the proposal provides and I haven't seen any evidence
as to the contrary (again, the PackageKit example is not applicable because
the PackageKit maintainer did NOT have such a list to go by when he made his
change; there's no reason to believe he'd have made that change in spite of
it).

Kevin Kofler

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Till Maas 01-30-2010 08:52 AM

Draft privilege escalation policy for comments
 
On Fri, Jan 29, 2010 at 02:27:13PM -0800, Adam Williamson wrote:

> Please do provide any and all feedback on the proposed policy. if we can
> get it into a shape which most people on the list would find acceptable,
> my next step will be to take it back to FESco for them to review.
> Thanks.

I don't understand this sentence:
"with the exceptions that the 'cause to be performed' provision is waived
in this case"
maybe it already covers it, but there are more directories a user can
write to then just ~, /tmp, /var/tmp or /usr/tmp, e.g. /dev/shm and with
certain restrictions /var/spool/{cron,mail,cups,at}.

Regards
Till
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Adam Williamson 01-30-2010 10:13 AM

Draft privilege escalation policy for comments
 
On Sat, 2010-01-30 at 10:52 +0100, Till Maas wrote:
> On Fri, Jan 29, 2010 at 02:27:13PM -0800, Adam Williamson wrote:
>
> > Please do provide any and all feedback on the proposed policy. if we can
> > get it into a shape which most people on the list would find acceptable,
> > my next step will be to take it back to FESco for them to review.
> > Thanks.
>
> I don't understand this sentence:
> "with the exceptions that the 'cause to be performed' provision is waived
> in this case"

It means that it's okay for the user to indirectly cause changes to
happen, because that happens all the time. This particular clause
applies only to direct user actions.

> maybe it already covers it, but there are more directories a user can
> write to then just ~, /tmp, /var/tmp or /usr/tmp, e.g. /dev/shm and with
> certain restrictions /var/spool/{cron,mail,cups,at}.

full list of directories it's okay for an unprivileged user to write to
directly would be good...
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Colin Walters 01-30-2010 02:31 PM

Draft privilege escalation policy for comments
 
On Sat, Jan 30, 2010 at 1:20 AM, Adam Williamson <awilliam@redhat.com> wrote:
>
> Well, reboot is a one-time operation; if there's only one user logged
> in, they can only affect themselves by rebooting. Adjusting the clock or
> installing new software isn't the same.

Ok, actually "one time" feels like there's a more general principle at
work here, which is the degree to which the operation could
potentially affect other users.

For example, there's a pretty wide gulf between "install new desktop
app" (other users see a new menu entry) and "start or stop system
daemons" (can easily break printing, networking, or just crash the.
Changing the system time is in between there.

The reason I mention this specifically I'd like in the future to widen
this set a little bit for the "self managed" desktop target (i.e.
livecd download), specifically include at least "install new desktop
application from " and "initiate system update" in that set of default
privileges.

Maybe the way to think of system update is that the system comes by
default configured to update, and the privilege is actually to
optionally delay the update.

I think it's very important that we make typing in the root password
dialog a meaningful event, something that means "you are doing
something really unusual, are you sure?", like turning off SELinux.
If we require it for simply installing Firefox security updates it
greatly dilutes the warning/danger value of it.

So as long as we don't view this current list as written on stone
tablets but a flexible system (more in the sense of
guidelines/examples), subject to revision, I'm fine with it.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Adam Williamson 01-30-2010 06:20 PM

Draft privilege escalation policy for comments
 
On Sat, 2010-01-30 at 08:33 +0100, Kevin Kofler wrote:
> Adam Williamson wrote:
> > Please do provide any and all feedback on the proposed policy. if we can
> > get it into a shape which most people on the list would find acceptable,
> > my next step will be to take it back to FESco for them to review.
> > Thanks.
>
> >From the proposal:
>
> > Add, remove, upgrade or downgrade any system-wide application or shared
> > resource (packaged or otherwise)
>
> The current PackageKit policy in F12 updates still allows upgrading (as
> opposed to installing or removing, not sure about downgrading, does
> PackageKit even support that?) packages without root authentication. Is this
> intended to be changed as part of the proposal or should the proposal be
> fixed instead (just remove "upgrade" from the sentence)?

That's odd. I made exactly that change in the second draft but it
somehow switched back in the third. I'd better review all second draft
changes tomorrow and make sure they're in the current draft as intended.

> > New and changed privilege escalation mechanisms
>
> Is the bureaucracy in this section really necessary? AFAICT what was missing
> when the F12 PackageKit change was made was the informative part of the
> proposal, the maintainer just didn't know what he should be allowing and
> what not. I don't think the enforcement part is really needed, maintainers
> should be able to get it right on their own given the detailed list of evil
> things to avoid which the proposal provides and I haven't seen any evidence
> as to the contrary (again, the PackageKit example is not applicable because
> the PackageKit maintainer did NOT have such a list to go by when he made his
> change; there's no reason to believe he'd have made that change in spite of
> it).

I think it's sensible, yeah. It's not really much bureaucracy; I don't
think it would ever be a good idea to introduce a new privilege
escalation mechanism without FESco knowing about it...
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net


--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Kevin Kofler 01-31-2010 06:55 AM

Draft privilege escalation policy for comments
 
Adam Williamson wrote:
> I think it's sensible, yeah. It's not really much bureaucracy; I don't
> think it would ever be a good idea to introduce a new privilege
> escalation mechanism without FESco knowing about it...

Right now we're in a phase where a lot of stuff (system-config-*, several
parts of KDE and some other stuff) is getting ported from running the whole
app under consolehelper or kdesu to PolicyKit mechanisms. This is generally
seen as a *good* thing. It'd be really annoying to have to go through a
FESCo vote for every single one of those.

At the very least, I'd suggest adding the following clause to that
paragraph:
"Any mechanism which requires administrative authentication to perform the
privileged action (e.g. auth_admin policy in PolicyKit, kdesu etc.) is NOT a
privilege escalation mechanism for the purposes of this paragraph."

Rationale: Such a policy does not impact the system's security as you have
to enter the root password before doing anything dangerous, so none of the
invariants under "Requirements" can be violated. And additionally, you can
always as a user run the whole app under e.g. kdesu and thus "escalate your
privileges" using the root password, so it doesn't make sense to police apps
providing such a mechanism. What really matters for security is what you can
do WITHOUT the root password. This is not really clear from the policy as
written now, adding the suggested sentence would clarify it.

(That said, I don't see even the clarified policy as being necessary. We
have a set of guidelines, maintainers should follow them, why do we have to
police them? As I explained before, there is no evidence that this is
necessary or useful. The PackageKit issue was caused by lack of a policy,
not lack of enforcement.)

Kevin Kofler

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Miloslav Trmač 01-31-2010 01:48 PM

Draft privilege escalation policy for comments
 
Kevin Kofler p*še v Ne 31. 01. 2010 v 08:55 +0100:
> Adam Williamson wrote:
> > I think it's sensible, yeah. It's not really much bureaucracy; I don't
> > think it would ever be a good idea to introduce a new privilege
> > escalation mechanism without FESco knowing about it...
>
> Right now we're in a phase where a lot of stuff (system-config-*, several
> parts of KDE and some other stuff) is getting ported from running the whole
> app under consolehelper or kdesu to PolicyKit mechanisms. This is generally
> seen as a *good* thing. It'd be really annoying to have to go through a
> FESCo vote for every single one of those.
That's not the intent: "mechanism" is "the code that causes running
something as root", in this case DBus activation, not "the code running
as root" (a DBus server).

You are not required to announce / ask for approval of every new DBus
server - but if you want to introduce another program that allows
running something as root (new DBus, new sudo, ...), _that_ requires
approval / announcement of changes.

The purpose of these announcements is to allow the QA team and people
working on Fedora security to maintain a list of such mechanisms. If
the QA team or someone working on security knows there is userhelper or
DBus, they can search for packages that use it, and check the
configuration of the packages, do code reviews etc. If they don't know
about the mechanism, they can't check the users of the mechanism are
secure.
Mirek

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel


All times are GMT. The time now is 05:09 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.