-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Currently I am aware of at least 4 "PolicyKit" apps in Fedora 10 with a lot more on the way. I believe we are not treating these as the security vulnerability that they represent. Now I do NOT believe there is anything wrong with PolicyKit itself. The problems is in the apps that are using it. Lets take a look at system-config-services. This service comes up and prompts me for the root password before I start and stop a service. That is good, works just like it did when system-config-services used consolehelper. Except for one problem, it defaults to a clicked "Remember authorization" meaning the next time I run system-config-services it will NOT prompt for the password. Now there is a check box for "This session only" But it is defaulted to off also. So this means that I clicked "Start A service" Entered the "Root Password" and took the default. Now any process on my desktop has the ability to start and stop any service on my machine without me even knowing about it???? There also might be a bug in system-config-services communications with dbus that would allow me to spawn a root shell. This is the equivalent or worse then a setuid app, and yet we do nothing to control the proliferation of these apps, while we shut down all apps that setuid!!!! All PolicyKit app that requires the Admin Password should default to "For this Session Only", and potentially for this action only. Consolekit only preserved the authentication for 5 minutes, by default, now we preserve it for ever by default. The argurment can be made that consolehelper used to be allowed to permanently save the user being allowed, but this involved an admin editing a file and probably a better understanding of what he is doing. SELinux can help a little to mitigate the risk but SELinux is not going to be running everywhere. And for something like system-config-services, SELinux can do almost nothing since the tool needs to start and stop all services which is a pretty high level of security. Fedora Security team should be looking at all packages that get PolicyKit integration to make sure they are secure, have the correct PolicyKit authorization, and a security check should be put on the service side of the app. I think we should write lint apps to look at PolicyKit specifications and look for vulnerable xml policy. Rpmlint and RPMDiff should run this to make sure apps are secure by default. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkTI6wACgkQrlYvE4MpobM/cgCdHDl8UwPJEfgi0Kg0bJ4U4zKS KpEAoJUrIvU2fFCSazlTwYPTKuLx5YjT =HLnc -----END PGP SIGNATURE----- -- Fedora-security-list mailing list Fedora-security-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-security-list
