On Thu, Aug 25 2022 at 11:20:46 AM -0000, Sandipan Roy
<bytehackr@xxxxxxxxxxxxxxxxx> wrote:
By this vulnerability any wheel user can install any packages without
root access or sudo.
Hi, this is actually by design and not a vulnerability. The wheel user
is definitionally an administrator user, and can escalate from wheel to
root without abusing any vulnerability. It might be more intuitive if
you consider that wheel users have unrestricted access to sudo. So
yeah, you can use PackageKit to install sqliteODBC or Sympa and abuse
them to elevate privileges... or you could just run sudo and not
bother, right?
The JavaScript rule in question here actually has nothing to do with
authorization, only with *authentication*. It disables the password
prompt that forces the human sitting at the computer to authenticate.
This means a local attacker with physical access to the computer --
e.g. a secret agent from the FBI or KGB or Mossad -- can install
packages on your computer if you leave your desktop unlocked and walk
away, or if they attack you with a hammer. But this has no effect on
authorization. Notably, if the password prompt were required, it would
be asking you for the password *to your wheel account*. Fedora's root
account is locked by default anyway, with no root password and no way
to authenticate as root.
Since most Fedora users are not too worried about secret agents, the
extra password prompt is annoying rather than useful. It's totally
reasonable to skip authentication for users who *already* authenticated
when logging into the desktop, right? Users who don't have wheel still
have to authenticate as a user who does, or they won't be able to
install anything.
That said, there is a bug here, just not where you thought. Look at
this comment:
<!-- SECURITY:
- Normal users do not need authentication to install signed
packages
from signed repositories, as this cannot exploit a system.
- Paranoid users (or parents!) can change this to
'auth_admin' or
'auth_admin_keep'.
-->
If that were true, then unprivileged users really could install
vulnerable packages like sqliteODBC or Sympa and thereby elevate
privileges. Fortunately, the comment is totally wrong as it doesn't
match the actual security policy. Looking at the history of this file,
it looks like this comment was correct when it was written on August
21, 2007, but the policy was changed to be more restrictive later the
same day. Here is a pull request to fix it:
https://github.com/PackageKit/PackageKit/pull/568
Michael
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
