On Thu, 06 Nov 2008 12:04:45 -0500 Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Currently I am aware of at least 4 "PolicyKit" apps in Fedora 10 with > a lot more on the way. I believe we are not treating these as the > security vulnerability that they represent. Now I do NOT believe > there is anything wrong with PolicyKit itself. The problems is in > the apps that are using it. I see 19 packages that drop files in the policykit dir... argyllcms-0:1.0.3-1.fc10.x86_64 ConsoleKit-0:0.3.0-2.fc10.x86_64 control-center-1:2.24.0.1-9.fc10.x86_64 DeviceKit-disks-0:002-0.git20080720.fc10.x86_64 DeviceKit-power-0:001-2.fc10.x86_64 GConf2-0:2.24.0-1.fc10.x86_64 gnome-applets-1:2.24.1-1.fc10.x86_64 gnome-lirc-properties-0:0.3.1-1.fc10.noarch gnome-panel-0:2.24.1-3.fc10.x86_64 gnome-system-monitor-0:2.24.1-1.fc10.x86_64 hal-0:0.5.12-12.20081027git.fc10.x86_64 libvirt-0:0.4.6-3.fc10.x86_64 NetworkManager-1:0.7.0-0.11.svn4229.fc10.x86_64 PackageKit-0:0.3.9-4.fc10.x86_64 pulseaudio-0:0.9.13-6.fc10.x86_64 system-config-samba-0:1.2.66-1.fc10.noarch system-config-services-0:0.99.25-1.fc10.noarch thinkfinger-0:0.3-8.fc9.x86_64 > Lets take a look at system-config-services. This service comes up and > prompts me for the root password before I start and stop a service. > That is good, works just like it did when system-config-services used > consolehelper. Except for one problem, it defaults to a clicked > "Remember authorization" meaning the next time I run > system-config-services it will NOT prompt for the password. Now there > is a check box for "This session only" But it is defaulted to off > also. Is that default in the app config? Or in PolicyKit itself? Ah, looks like the app, so thats bad. :( > So this means that I clicked "Start A service" Entered the "Root > Password" and took the default. Now any process on my desktop has the > ability to start and stop any service on my machine without me even > knowing about it???? There also might be a bug in > system-config-services communications with dbus that would allow me to > spawn a root shell. > > This is the equivalent or worse then a setuid app, and yet we do > nothing to control the proliferation of these apps, while we shut > down all apps that setuid!!!! > > All PolicyKit app that requires the Admin Password should default to > "For this Session Only", and potentially for this action only. > Consolekit only preserved the authentication for 5 minutes, by > default, now we preserve it for ever by default. The argurment can > be made that consolehelper used to be allowed to permanently save the > user being allowed, but this involved an admin editing a file and > probably a better understanding of what he is doing. Perhaps a few minutes and something like when the screensaver starts it automatically removes all current auths? > SELinux can help a little to mitigate the risk but SELinux is not > going to be running everywhere. And for something like > system-config-services, SELinux can do almost nothing since the tool > needs to start and stop all services which is a pretty high level of > security. > > Fedora Security team should be looking at all packages that get > PolicyKit integration to make sure they are secure, have the correct > PolicyKit authorization, and a security check should be put on the > service side of the app. I think we should write lint apps to look > at PolicyKit specifications and look for vulnerable xml policy. > Rpmlint and RPMDiff should run this to make sure apps are secure by > default. Yeah, I agree. I was going to suggest that this discussion should take place on an upstream PolicyKit list, but I can't seem to find one anywhere. ;( kevin
Attachment:
signature.asc
Description: PGP signature
-- Fedora-security-list mailing list Fedora-security-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-security-list
