Threat Level: green Handler on Duty: Pasquale Stirparo

SANS ISC: InfoSec Handlers Diary Blog - Fedora to allow the installation of packages, without root privileges? InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Fedora to allow the installation of packages, without root privileges?

Published: 2009-11-19
Last Updated: 2009-11-20 13:43:09 UTC
by Joel Esler (Version: 2)
4 comment(s)

A "bug" created back in November against the latest Fedora release (12) indicates that, through the GUI, desktop users of the Fedora system are able to install signed packages without root privileges or root authentication.  Yes, you just read that correctly.  (I'll give you a second re-read that sentence so I don't have to retype it.)  Yes, "it's a feature, not a bug".

In all my travels I've only ran across one company, ever, that has Fedora rolled out as an enterprise operating system on every desktop.  But what kind of security implications does this have?  I obviously don't have to explain why this is (may be) a bad idea to the readers of the ISC, as we are all security minded people.  

Now, the restrictions.  This change does not affect yum on the command line.  This only affects installing things through the GUI.  (Not that helps any, as most users will be running the GUI anyway.)  You can also disable it.

create a file in:

/var/lib/polkit-1/localauthority/20-org.d  (you can name if file anything you want)

and include the following:

[NoUsersInstallAnythingWithoutPassword]
Identity=unix-user:someone;unix-user:someone_else
Action=org.freedesktop.packagekit.*
ResultAny=auth_admin
ResultInactive=auth_admin
ResultActive=auth_admin

 

(the above came from the release notes for Fedora 12, found here.  

Also, I found this as a solution:

pklalockdown --lockdown org.freedesktop.packagekit.package-install

Currently in the bug, there is some debate about if they should revert this feature.  So, this may be just temporary.  

 

UPDATE:  After I wrote about this yesterday, an email was sent out to the Fedora Developers List saying that, essentially, have reversed the decision and will now require the root password for the installation of packages.  Read the email here.  Thanks to the commenters on this post for the update.

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler

Keywords:
4 comment(s)
Diary Archives