On Thu, 19 Nov 2009, Owen Taylor wrote: > Among the decisions Richard made was allowing all users to install > signed packages from the Fedora repositories. This was clearly the right > behavior for the common case of a single-user system, where the only > user is also the administrator. I don't think this is clearly the right behavior at all. Many users limit their use of the root account to essential system maintenance, and run general purpose applications as a regular unprivileged user. This greatly limits the attack surface, i.e. the number of different ways in which a system might be compromised. System tools are also often more carefully designed, less complex, better tested, and better reviewed. I would usually not, for example, run a web browser as root, because it exposes a fairly complicated application to the global network. A bug in the browser's HTML parser might allow a remote attacker to take control of my shell session with an appropriately crafted page. I think it's fair to say that having this happen as root would generally be worse than it happening as an unprivileged user. For the latter, the attacker would need to also then succeed with a local privilege escalation attack to the same effect. With the new behavior, the attack surface is increased in several ways: - The local session has a new means to execute in a high privilege context, i.e. that which is required to install the system itself. This is a problem alone -- everything which runs in this context is now a prime attack target. - The local session can now install any signed packages from the Fedora repos: - I think this includes old versions of packages (correct?) with known and undisclosed vulnerabilities (old packages are particularly problematic because they're unmaintained) - It certainly includes all previously uninstalled current packages - Packages are installed globally, so the attack surface extends to other users who may end up using them (like root, or httpd), and not just the local user at the time MAC policy can be updated without administrative privilege, breaking our MAC model in a fundamental way. There are also several DoS scenarios. > And it seemed pretty safe: Fedora isn't supposed to have packages in it > that are dangerous to install. Software always has bugs, and some of those bugs will inevitably be security-relevant. Ideally, no packages will be dangerous to install, but we know that some will be. It is best practice to only install the packages which need to be installed, for this reason. > (For example, by policy, all network services must be off by default and > not enabled by simply installing a package.) Good. > Executive summary > ================= > > We'll make an update to the F12 PackageKit, so that the root password is > required to install packages. Also good :-) Thanks for getting this resolved so quickly. - James -- James Morris <jmorris@xxxxxxxxx> -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list