Is This a Security Issue in F9?

hansi · #1 14th June 2008, 10:21 AM

After installation of Fedora 9 the Software Update tool is activated by default.
Now I am a little confused: When I was logged in as a user (not as root) to KDE, the tool asked me for the installation of updates. I agreed, and the download started, followed by completing the installation without asking me the root password. Is this a problem with security?
Also, when I tried to open an mp3, I was suggested to download a decoder. I did so, and it was installed without asking the root password.

Thanks in advance for comments to this.

savage · #2 14th June 2008, 04:34 PM

I don't use F9, so this is just guess work, but I would take a shot at the actual package manager is running as a service as root.

The packages it installs comes from repositories, which are trusted sources, and whatever app you clicked on to install the updates/decoder, will have interfaced with the service.

That is a 100% blind guess, but I can't see them releasing F9 and letting any user install anything they like.

SlowJet · #3 14th June 2008, 05:21 PM

F9 has a new Auth system.
Many first time uses have a remember auth (and it tells you in text what user it expects-root or useryou.)
Some of the programs are not auth until deeper in the pop-up screens.
Some can be set to just do it- like updates in the background.

So it depends on what you did the first time, or what buttons you selected.

SJ

hansi · #4 15th June 2008, 03:00 PM

Thanks for the infos. It is only, that I was a little confused. Sure the update service might run as root, but I thought, that as soon as I am asked for action as user, and I confirm to continue, then I am the owner of the process.

hansi · #5 30th July 2008, 07:44 AM

I found this in the Red Had online magazine (2008/07/29):

"PackageKit is implemented in a client-server fashion–all the package installations and removals are done in a privileged backend, while the user interface code runs unprivileged, and talks to the backend over d-bus. Fedora (and later Enterprise Linux) uses a yum backend for PackageKit; other backends (for Debian or Ubuntu packages, for example) also exist."

stefan1975 · #6 30th July 2008, 08:07 AM

i guess i will look into this on my system, i did not notice it so far but if this is true I for one would not particularly like this. I prefer updates to be installed by my and not other members of my family who have regular user accounts on our pc's, so if packagekit also pops up for them and allowing them to install the updates without review I probably want to disable the update service.

stefan

w5set · #7 30th July 2008, 04:54 PM

Security issue? UMMMMMMMM YES!!!

(I wish we had a "tongue in cheek" emoticon)

Have a good Internet connection....create a mirror of the repos...hack the code of the app of your choice add it to your mirror.....advertise the repo online or just fool the mirrors temporarily to add you in the mix (umm maybe) ....cross your fingers you get a few referrals to download some "updates"....double cross your fingers you don't get someone named "Bruiser" knocking on your front door to "see" you...

With half a million users ++...someone WILL live close enuff to you to come by and pay a physical visit.

Or just sit back and enjoy the "update" ride...automatically...sometimes it does create a "problem" or two with the new updates foobaring this or that...but SO FAR...the Fedora users have been blessed with not many security issues with using the repo system.
As to family users doing unwanted updates....slap some hands or turn the PackageKit "thing" OFF.
As for myself...I turn the silly thing off and do manual updates..

hansi · #8 31st July 2008, 09:46 AM

I can't help having heard a little bit of irony in w5set's post ;-)
But seriously: I only was wondering, why I am able to update software as a "common" user. I added my post with the reference to the online magazine because this explains the background of the update mechanism.
So: no harm meant!

oneofmany · #9 31st July 2008, 09:59 AM

perhaps fc9 is different but in fc8 i seem to recall that once i gave authorisation to an application to run privileged instructions, i got an indicator in the system tray in gnome showing it was running in a "su" manner and all the time that application was running, it remained in that elevated state so it could do what it wanted.

hansi · #10 31st July 2008, 10:10 AM

It is still like that with Gnome in F9. When you, e.g., want open the services window, you have to log on as root. Having done so, a yellow shield shows up in the panel, indicating that you are logged on as privileged user. Clicking this icon you can again log out as root.
But this is not the case with the update function.

stefan1975 · #11 31st July 2008, 10:54 AM

Quote:

Originally Posted by hansi

I can't help having heard a little bit of irony in w5set's post ;-)
But seriously: I only was wondering, why I am able to update software as a "common" user. I added my post with the reference to the online magazine because this explains the background of the update mechanism.
So: no harm meant!

I for one still believe that updates imho should be reserved for the root user and not common users.

on a side note:

Quote:

perhaps fc9 is different but in fc8

since F7 there has been the elimination of the distinction between Fedora Core and Fedora Extras entirely; there is only Fedora. The name of the release is Fedora 7/8/9, unlike previous ones which featured 'Core' in their names (e.g. Fedora Core 6).

stefan

oneofmany · #12 31st July 2008, 10:56 AM

Quote:

Originally Posted by stefan1975

The name of the release is Fedora 7/8/9, unlike previous ones which featured 'Core' in their names (e.g. Fedora Core 6).
stefan

i know, i know. its just habit! :P

A.Serbinski · #13 31st July 2008, 03:44 PM

This is actually something I STRONGLY dislike about F9... the *first* time you run packagekit gui to install or update, it asks you for the root password before installing. This part is fine, except for the checkboxes it presents.... The authentication dialog presents two checkboxes; "remember authentication" (default checked), and "for this session only" (default unchecked).... what this means is that without paying specific attention and just plugging in the root password, this user will most likely continue to have the privilege of installing/uninstalling software and updating the system without ever being asked for the root password again. VERY SERIOUS SECURITY ERROR!

Whenever you run packagekit, you need to make absolutely sure that you either check BOTH or do NOT check the "remember" box. If you leave it default, it will add root's password to your gnome keyring! This is SERIOUS! It means that the root password is in danger. You all know how typical users pick their passwords -- badly (something easy to remember, like the brand name on their monitor or keyboard), which means that their is virtually NOTHING protecting the root password from someone who has a) remote access to the system and that the user with root's password is bad with maintaining directory and file security, b) physical access to the system.

stefan1975 · #14 31st July 2008, 04:04 PM

Maybe we should file a bug against this so it can be solved since we all know "the devs do not monitor this forum".

Anyway I cannot find a root password in my gnome keyring myself so I do not know if the issue is *that* bad, but on the other hand I can indeed start add/remove software as a regular user without password so it goes beyond "mere" updates and thus disabling the updater as suggested is not nearly enough to work-around this problem, nor can I find how to turn this setting off.

stefan

**Finalzone** · #15 31st July 2008, 06:26 PM

Quote:

Originally Posted by A.Serbinski

This is actually something I STRONGLY dislike about F9... the *first* time you run packagekit gui to install or update, it asks you for the root password before installing. This part is fine, except for the checkboxes it presents.... The authentication dialog presents two checkboxes; "remember authentication" (default checked), and "for this session only" (default unchecked).... what this means is that without paying specific attention and just plugging in the root password, this user will most likely continue to have the privilege of installing/uninstalling software and updating the system without ever being asked for the root password again. VERY SERIOUS SECURITY ERROR!

That is where PolicyKit comes handy. In Gnome menu, System-->Preferences-->Systems-->Authorization, there are set of policy that allow to restrict the function of users (for example, install only desktop stuff but not critical part like kernel). Look into PackageKit to see the list of policy containing a set of authorizations. Play with them.