After installation of Fedora 9 the Software Update tool is activated by default.
Now I am a little confused: When I was logged in as a user (not as root) to KDE, the tool asked me for the installation of updates. I agreed, and the download started, followed by completing the installation without asking me the root password. Is this a problem with security?
Also, when I tried to open an mp3, I was suggested to download a decoder. I did so, and it was installed without asking the root password.

Thanks in advance for comments to this.

I don't use F9, so this is just guess work, but I would take a shot at the actual package manager is running as a service as root.

The packages it installs comes from repositories, which are trusted sources, and whatever app you clicked on to install the updates/decoder, will have interfaced with the service.

That is a 100% blind guess, but I can't see them releasing F9 and letting any user install anything they like.

F9 has a new Auth system.
Many first time uses have a remember auth (and it tells you in text what user it expects-root or useryou.)
Some of the programs are not auth until deeper in the pop-up screens.
Some can be set to just do it- like updates in the background.

So it depends on what you did the first time, or what buttons you selected.

SJ

Thanks for the infos. It is only, that I was a little confused. Sure the update service might run as root, but I thought, that as soon as I am asked for action as user, and I confirm to continue, then I am the owner of the process.

I found this in the Red Had online magazine (2008/07/29):

"PackageKit is implemented in a client-server fashion–all the package installations and removals are done in a privileged backend, while the user interface code runs unprivileged, and talks to the backend over d-bus. Fedora (and later Enterprise Linux) uses a yum backend for PackageKit; other backends (for Debian or Ubuntu packages, for example) also exist."

i guess i will look into this on my system, i did not notice it so far but if this is true I for one would not particularly like this. I prefer updates to be installed by my and not other members of my family who have regular user accounts on our pc's, so if packagekit also pops up for them and allowing them to install the updates without review I probably want to disable the update service.

stefan

Security issue? UMMMMMMMM YES!!! :rolleyes: (I wish we had a "tongue in cheek" emoticon)

Have a good Internet connection....create a mirror of the repos...hack the code of the app of your choice add it to your mirror.....advertise the repo online or just fool the mirrors temporarily to add you in the mix (umm maybe) ....cross your fingers you get a few referrals to download some "updates"....double cross your fingers you don't get someone named "Bruiser" knocking on your front door to "see" you... ;)
With half a million users ++...someone WILL live close enuff to you to come by and pay a physical visit. :)

Or just sit back and enjoy the "update" ride...automatically...sometimes it does create a "problem" or two with the new updates foobaring this or that...but SO FAR...the Fedora users have been blessed with not many security issues with using the repo system.
As to family users doing unwanted updates....slap some hands or turn the PackageKit "thing" OFF.
As for myself...I turn the silly thing off and do manual updates.. :)

I can't help having heard a little bit of irony in w5set's post ;-)
But seriously: I only was wondering, why I am able to update software as a "common" user. I added my post with the reference to the online magazine because this explains the background of the update mechanism.
So: no harm meant!

perhaps fc9 is different but in fc8 i seem to recall that once i gave authorisation to an application to run privileged instructions, i got an indicator in the system tray in gnome showing it was running in a "su" manner and all the time that application was running, it remained in that elevated state so it could do what it wanted.

It is still like that with Gnome in F9. When you, e.g., want open the services window, you have to log on as root. Having done so, a yellow shield shows up in the panel, indicating that you are logged on as privileged user. Clicking this icon you can again log out as root.
But this is not the case with the update function.

I can't help having heard a little bit of irony in w5set's post ;-)
But seriously: I only was wondering, why I am able to update software as a "common" user. I added my post with the reference to the online magazine because this explains the background of the update mechanism.
So: no harm meant!

I for one still believe that updates imho should be reserved for the root user and not common users.

on a side note: :)


perhaps fc9 is different but in fc8


since F7 there has been the elimination of the distinction between Fedora Core and Fedora Extras entirely; there is only Fedora. The name of the release is Fedora 7/8/9, unlike previous ones which featured 'Core' in their names (e.g. Fedora Core 6).

stefan

The name of the release is Fedora 7/8/9, unlike previous ones which featured 'Core' in their names (e.g. Fedora Core 6).
stefan

i know, i know. its just habit! :P :)

This is actually something I STRONGLY dislike about F9... the *first* time you run packagekit gui to install or update, it asks you for the root password before installing. This part is fine, except for the checkboxes it presents.... The authentication dialog presents two checkboxes; "remember authentication" (default checked), and "for this session only" (default unchecked).... what this means is that without paying specific attention and just plugging in the root password, this user will most likely continue to have the privilege of installing/uninstalling software and updating the system without ever being asked for the root password again. VERY SERIOUS SECURITY ERROR!

Whenever you run packagekit, you need to make absolutely sure that you either check BOTH or do NOT check the "remember" box. If you leave it default, it will add root's password to your gnome keyring! This is SERIOUS! It means that the root password is in danger. You all know how typical users pick their passwords -- badly (something easy to remember, like the brand name on their monitor or keyboard), which means that their is virtually NOTHING protecting the root password from someone who has a) remote access to the system and that the user with root's password is bad with maintaining directory and file security, b) physical access to the system.

Maybe we should file a bug against this so it can be solved since we all know "the devs do not monitor this forum".

Anyway I cannot find a root password in my gnome keyring myself so I do not know if the issue is *that* bad, but on the other hand I can indeed start add/remove software as a regular user without password so it goes beyond "mere" updates and thus disabling the updater as suggested is not nearly enough to work-around this problem, nor can I find how to turn this setting off.

stefan

This is actually something I STRONGLY dislike about F9... the *first* time you run packagekit gui to install or update, it asks you for the root password before installing. This part is fine, except for the checkboxes it presents.... The authentication dialog presents two checkboxes; "remember authentication" (default checked), and "for this session only" (default unchecked).... what this means is that without paying specific attention and just plugging in the root password, this user will most likely continue to have the privilege of installing/uninstalling software and updating the system without ever being asked for the root password again. VERY SERIOUS SECURITY ERROR!


That is where PolicyKit comes handy. In Gnome menu, System-->Preferences-->Systems-->Authorization, there are set of policy that allow to restrict the function of users (for example, install only desktop stuff but not critical part like kernel). Look into PackageKit to see the list of policy containing a set of authorizations. Play with them.

In other words its adding another layer of nonsense that can be broken through, thus totally eliminating the security advantage that linux has over competing OS's.

yeah, I must agree that I dislike this trend. Maybe packagespit doesnt compromise a system as it uses the safe repos, and maybe fedora is set up for one person, or one family desktop use, but this is a stupid policy. They are dumbing down my OS because windows rejects are too lazy to type their root password more than once a month. Pretty soon fedora will have the faux administrator system Vista does. "You need administrator privileges to do this! Just check this box for those permissions." What a farce!

First thing I will do from now on is uninstall packagespit. I just want that junk off my computer.

I'm glad I'm still on F8 ....

When I eventually upgrade/install F9+ I think I'll just add PackageKit to the list of items to remove ..... fspot, tomboy, mono-core, totem, packagekit .... and then:
yum install yumex

Pretty soon fedora will have the faux administrator system Vista does. "You need administrator privileges to do this! Just check this box for those permissions." What a farce!
.

Assumption can be very bad without reading what those applications do. Here:
PolicyKit (http://hal.freedesktop.org/docs/PolicyKit/)
ConsoleKit (http://www.freedesktop.org/wiki/Software/ConsoleKit)
PackageKit (http://packagekit.org/)

Be in mind they are part of freedesktop.org project.

Assumption can be very bad without reading what those applications do. Here:
PolicyKit (http://hal.freedesktop.org/docs/PolicyKit/)
ConsoleKit (http://www.freedesktop.org/wiki/Software/ConsoleKit)
PackageKit (http://packagekit.org/)

Be in mind they are part of freedesktop.org project.

I didnt make any assumptions, I just removed packagespit when I installed F9. :) But from the reading that I have done both in this thread and from the links you provide it seems to me that the unwary user just checks a box upon first time invoking packagespit that then will allow updates and installation without having to type in the root password. After all, that user had the password to begin with. Kind of like how Vista does things. So, if someone else had physical control of my user account they could then perform these operations.

Not a very good idea in my book, but if you think it is more power to ya.

Pakagekit isn't the problem. The problem is policykit - thats what's responsible for the authorization dialogs.

if someone else had physical control of my user account
... You'd already be 0wned ;)

They could do lots of bad stuff, like run a keylogger (I assume it would not need root permissions) to capture when you next type in root's password, and email it to naughty@hacker.com

Edit: There's no defense against a hardware keylogger (http://www.keyghost.com/kgpro.htm) :eek:

... You'd already be 0wned ;)

They could do lots of bad stuff, like run a keylogger (I assume it would not need root permissions) to capture when you next type in root's password, and email it to naughty@hacker.com

Edit: There's no defense against a hardware keylogger (http://www.keyghost.com/kgpro.htm) :eek:

Yeah, true enough I guess.

Edit: There's no defense against a hardware keylogger (http://www.keyghost.com/kgpro.htm) :eek:
At a past workplace of mine, computers were placed on desks facing outwards so all connections were visible - precisely because of devices like that. Needless to say, cases were locked with anti-tamper switches installed ...

Here's a scenario to consider:

You admin a network with several users and have to install a package on one user's system. Rather than logging out of that user's account (you see where I'm going with this...), you plug in your root password and forget about the checkboxes. Now by accident, you've just given that user what (s)he needs to install any packages (s)he wants, including all the games, which are a total waste of time and lead to reduced productivity. Ultimately you lose your job because this user is now goofing off playing games instead of doing their work.

*IF NOTHING ELSE*, the defaults should enforce security. I.e., you should have to go out of your way to screw up the security rather than just experience a careless omission (which happens to everybody from time to time). I've just been going over policykit and it seems to me that the defaults should be "Admin Authentication (one shot)" all the way down. The defaults come out as "Admin Authentication (keep indefinitely)". Quite frankly, this option shouldn't even exist.

Are we all so sure that packagekit can install new software with the basic "update behind the back" auth?
Having the root pass in a keyring doesn't necessarily mean it's posted in living colored text on each desktop either or even that that "key" will automagically work when you try to install a rpm you brought from home to work on a shiny CD/DVD. Or will it? :)

Edit: There's no defense against a hardware keylogger (http://www.keyghost.com/kgpro.htm) :eek:
Except for keyboards on monitor (http://www.microsoft.com/library/media/1033/windowsxp/images/using/setup/tips/67448-on-screen-keyboard.gif) :p

Except for keyboards on monitor (http://www.microsoft.com/library/media/1033/windowsxp/images/using/setup/tips/67448-on-screen-keyboard.gif) :pWell I suppose for hardware keyloggers, that's true. But that doesn't mean that on-screen keyboards are a panacea .....

It is sometimes said that a third-party (or first party) on-screen keyboard program is a good way to combat keyloggers, as it only requires clicks of the mouse. However, this is not true, because for most on screen keyboards (such as the onscreen keyboard that comes with Microsoft Windows XP), a keyboard event message must be sent to the external target program to type text. Every software keylogger can log the text sent as typed characters from one program to another with an on-screen keyboard, and additionally, some programs also record or take snapshots of what is displayed on the screen. (Screenshot recorders are a concern whenever entire passwords are displayed; fast recorders are generally required to capture a sequence of virtual key presses.)

Well I suppose for hardware keyloggers, that's true. But that doesn't mean that on-screen keyboards are a panacea .....
if you have a hardware and software keylogger, and you didn't noticed that...you'd better to stop using computers :p
Btw, if a on-screen keyboard is embedded in a security software, there are no needs to call any SendMessage/PostMessage API, within the letter...as the virtual keyboard can directly talk with the software :cool:
Though a good solution are text-scrambler... you see on your screen a table, like a=h, 4=2, k=j and the table changes every time you type a new char. So if you enter k and then the table switch to "4=f" and you enter 4; your password is "jf"... pretty difficult to intercept a password in this way, and a fast method if you can look at the screen while you are typing...(close to real-time typing speed :D )

:)

... but, eventually, if the target application can read the characters, so can malware, particularly kernel-level rootkit-like malware. And there's screenshot malware as well.

There has to be a level of trust at some point, though. :)

"Trusted systems" (albeit not my speciality, so take this as a personal opinion only) are built up a level at a time starting with the physical environment and access control .... then hardware, OS, network, application software, etc. (this should all be described in the security model for the system) and which should permit a certain maximum level of trust. One should only use a system for a purpose that falls within that maximum level of trust.

Yes.
Luckily not all malwares take a screenshot each time you press a key :D
Malwares for the masses are usually simple worm/backdoors/keyloggers software, with simple user-level (Ring3 API hook-based) rootkit technologies... and they're for Windows (lol).
There are some more advanced software at ring0... but if you find something installed at kernel-level...well, this means that somebody has taken the control of your computer a lot before...! there were a lot of mistakes, yet before, done by you

Oh, yes, in the end, there are always a point when you have to drop your security and trust something of your environment...

Security issue? UMMMMMMMM YES!!!...Have a good Internet connection....create a mirror of the repos...hack the code of the app of your choice add it to your mirror.....advertise the repo online or just fool the mirrors temporarily to add you in the mix (umm maybe) ....cross your fingers you get a few referrals to download some "updates".......
As to family users doing unwanted updates....slap some hands or turn the PackageKit "thing" OFF.
As for myself...I turn the silly thing off and do manual updates.. :)

Have you heard of GPG key signing? Why do you think you would be able to verify the authenticy of the entire compose and mirror dist compared to a GPG signed file?