Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Fedora 12 Lets Users Install Signed Packages, Sans Root Privileges

timothy posted more than 4 years ago | from the try-it-you-might-like-it dept.

Red Hat Software 502

eqisow writes "The new default policy for Fedora 12 allows local, unprivileged users to install signed packages without root access. This change apparently went mostly unnoticed until after the Fedora 12 GA release, at which point it sparked a mailing list thread that is, as of this writing, over 100 posts long."

cancel ×

502 comments

Sorry! There are no comments related to the filter you selected.

what could possibly go wrong (-1, Redundant)

Anonymous Coward | more than 4 years ago | (#30148966)

no really

Umm... (0, Redundant)

SaidinUnleashed (797936) | more than 4 years ago | (#30148974)

Oopsie?

Wow (5, Funny)

MyLongNickName (822545) | more than 4 years ago | (#30148992)

Sounds like I need to upgrade to Windows 7 for some real security...

You laugh, but.... (5, Funny)

WindBourne (631190) | more than 4 years ago | (#30149460)

MS is hit hard because they have had similar bad ideas, combined with having hired bad developers (and getting worse). But MS is now focused on Security, and is slowly making progress. I fear that if and when they surpass *nix (Linux, BSD, OSX, and some of the smaller ones like Solaris :) ) in security, that *nix will suddenly be slammed with virus and worms. And it will appear to happen overnight, even though it will be possible openings like this that slowly turn the heads of the writers.

It's obvious (0, Troll)

Hognoxious (631665) | more than 4 years ago | (#30149000)

They're just trying to make it more like Windows.

Re:It's obvious (2, Informative)

junglee_iitk (651040) | more than 4 years ago | (#30149030)

Or you could install RHEL

That is what they want, apparently:
https://www.redhat.com/archives/fedora-devel-list/2009-November/msg00945.html [redhat.com]

"Should the defaults be targeted towards home users or corporate desktop
considering the short lifecycle of Fedora and the target audience? I am
not sure there are corporate deployments but wouldn't they be heavily
customized their desktop deployments and kickstarting it anyway?"

Re:It's obvious (3, Insightful)

BountyX (1227176) | more than 4 years ago | (#30149130)

Read the response [redhat.com] . It's actually a Red Hat employee making the complaint, calling it a security vulnerability. I wouldn't call a Red Hat employee complaining about this policy to a Fedora mailing list an attempt to coax RHEL usage.

Re:It's obvious (1)

mweather (1089505) | more than 4 years ago | (#30149232)

I think you mean CentOS.

Re:It's obvious (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30149038)

I agree.. reading the thread, one of the people who implemented this said (paraphrasing) "I don't care about the way *nix has "always worked" - users want it this way."

That sounds pretty much like the Windows approach to me. "Screw security, this will be easier!"

Re:It's obvious (0)

Anonymous Coward | more than 4 years ago | (#30149182)

If we could only find a way to stop this 'change'... I know let's carve the rules down in stone and all shall abide by them.

Re:It's obvious (0)

Anonymous Coward | more than 4 years ago | (#30149198)

Change is all well and good.. as long as it's a change for the better, which this does not appear to be.

Some thing were always done in a particular way for a reason.

Re:It's obvious (5, Insightful)

644bd346996 (1012333) | more than 4 years ago | (#30149210)

This isn't necessarily insecure. Sure, it's not something you'd want enabled on your servers, but for a desktop the only big problems I see are with disk space. (If, on the other hand, this allows the user to install and start a network-accessible service without root privileges, then it's a problem.) For home users, this feature is a definite convenience, and nothing to worry about. For corporate desktops, it's more of a wash: employees can install productivity apps without pestering IT, but now IT has to disable repos that contain counter-productivity apps.

The reason unix has always required root access in order to install software isn't because that's the way things should be, it's because there hasn't been another way to make it secure. Now, if you trust the distro's repos, you can safely let users install those signed packages. This is similar to (but more secure than) Mac OS X's policy of letting users install and uninstall but not modify app bundles.

Re:It's obvious (1)

eqisow (877574) | more than 4 years ago | (#30149368)

Well... last I checked installed network services were started audomatically, which may be bad practice in itself.

Re:It's obvious (5, Insightful)

bmo (77928) | more than 4 years ago | (#30149342)

The best rant against the Windows way of doing things from Tom Christiansen:

http://slashdot.org/comments.pl?sid=3291&cid=1395315 [slashdot.org]

No, I don't care that a customer asked for it. Customers are idiots, just like any other user. So what if they pay you? They're still idiots, and it's your professional responsibility to act responsibly, to refuse to go along with their madnesses. The customer is not always right. In fact, they're very often wrong. A physician or a lawyer doesn't do whatever the customer requests, and neither do you. They, meaning the customers or users, simply don't have the background and training;

Truer words were never spoken.

--
BMO

Re:It's obvious (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#30149090)

On Windows, only admins can install. Otherwise, nice try, moron.

Glad to see... (5, Funny)

maccodemonkey (1438585) | more than 4 years ago | (#30149012)

...all those laid off Microsoft employees already found work.

Re:Glad to see... (1, Insightful)

Anonymous Coward | more than 4 years ago | (#30149422)

Now we just wait to see how long it takes someone to digitally sign a rootkit!

whatcouldpossiblygowrong? (1)

rrohbeck (944847) | more than 4 years ago | (#30149032)

Just hope that your appliance manufacturer has disabled this.

Re:whatcouldpossiblygowrong? (1)

jim_v2000 (818799) | more than 4 years ago | (#30149400)

Why would an appliance be running Fedora?

This makes sense (3, Insightful)

Anonymous Coward | more than 4 years ago | (#30149066)

If the content is trusted then requiring the user to get root privileges is just a security risk (key-loggers). I do hope, however, that they had to foresight to require specific permissions to allow users to install signed packages. I don't want my guest users installing every signed package and filling my HDD.

Re:This makes sense (3, Insightful)

Anonymous Coward | more than 4 years ago | (#30149118)

So with Microsoft it's a fail but here it's a feature? Man, my head is spinning.

Re:This makes sense (2, Interesting)

Arimus (198136) | more than 4 years ago | (#30149196)

No, its a fail. Any OS vendor / Linux distro which thinks this is a good idea needs whacking hard with a two-by-four till they get the message that this a fail whoever does it.

Re:This makes sense (2, Interesting)

TooMuchToDo (882796) | more than 4 years ago | (#30149426)

When Linux requires a root password via sudo to do everything, everyone cheers. When Windows Vista required an admin password to do the same administrative tasks, everyone complained.

Re:This makes sense (1)

Arimus (198136) | more than 4 years ago | (#30149620)

Not quite everyone... I didn't for one.

Though in a console environment typing sudo (assuming your in the sudoers file) is easier than a popup in a gui...

And vista does have one issue: run command as a normal user and there is no equiv to sudo ipconfig /flushdns - you need to know you are going to run admin commands before you open the command prompt and run it as an admin user. Which is one thing I don't like about it...

Re:This makes sense (2, Informative)

the_womble (580291) | more than 4 years ago | (#30149652)

The thing is that Linux does not require the root password to do everything. The commonest task that requires it is installing software.

From what I understood of the complaints about Vista, it required the root password a lot more than Linux does.

Re:This makes sense (1)

mweather (1089505) | more than 4 years ago | (#30149258)

Microsoft lets you install unsigned code as well. Signed code isn't nearly as big a problem, unless they're signing keyloggers and spambots. It's still a problem, but nowhere near as bad.

Re:This makes sense (1)

CannonballHead (842625) | more than 4 years ago | (#30149306)

Microsoft lets you install unsigned code as well.

Without being admin/having to go through the UAC thing?

Re:This makes sense (1, Insightful)

jim_v2000 (818799) | more than 4 years ago | (#30149474)

That's the thing. Every time you see a comparison of security in Windows and Linux, the users in Windows is always assumed to be the administrator, and you get all this FUD about how insecure Windows is. The proper comparison would be to a Windows machine where the user is logged in as a limited user. In that case, it's as secure as a Linux box.

Re:This makes sense (3, Insightful)

natehoy (1608657) | more than 4 years ago | (#30149360)

No, there is a significant difference between "running as Admin" and "installing a signed application without requiring root (Linux's Admin) authority".

The amount of authority granted depends on how many signing authorities you have decided to trust. If you trust only a server under your own control, for example, this could be really useful within an organization to allow users to install company-authorized packages without having to run around and install everything for everyone, while still preventing average users from doing anything to the machine.

I don't agree with this change in RedHat, but it is (fortunately) a policy change and not a programming change. In other words, it's easy for any machine owner to change the policy (which can, by the way, only be done as root) and require that all software installs be done by root only (which was the old default). In my opinion, this default should be changed back, and those people who want to send signed packages out within their organizations can change the policy.

A regular RedHat user still cannot do things like reformat the hard drive, change operating system files or core system configurations, access any data but their own, etc. Similar to a "Limited" user account in Windows (but the difference is that Microsoft, by default, has traditionally made all accounts Admin, and a lot of software vendors have come to depend on that so making a Limited user is an exercise in deep frustration in Windows).

Re:This makes sense (5, Insightful)

MatanZ (4571) | more than 4 years ago | (#30149144)

The contest might be trusted, but not wanted by the administrator of the machine.

Another way to think about it - you are now vulnerable to local root exploits not only in packages you installed, but also in packages you chose not to install.

Re:This makes sense (5, Insightful)

jmorris42 (1458) | more than 4 years ago | (#30149382)

> Another way to think about it - you are now vulnerable to local root exploits not only
> in packages you installed, but also in packages you chose not to install.

DING! You nailed it. The attack surface has been expanded to include every package in every enabled repo. Find a local root exploit in any one of them and you get the machine.

This is totally stupid. It makes the assumption that every user is an admin, which was exactly the idiocy we have, rightly, laughed at Microsoft for years over. Microsoft has been working at correcting that mistake while we have been adopting it. And it isn't just Fedora, this apparently came from upstream at PackgeKit so unless this gets nipped in the bud it will spread to everyone else.

The root of the problem is that decisions that impact security are being made by marketing people more concerned with the 'year of the Linux desktop'. And again, wasn't this exactly what we slagged Microsoft over in the past? As Linux nears readiness for mass consumption we find ourselves making exactly the same mistakes for exactly the same reasons. We are tossing decades of hard won security knowledge onto the altar of user friendliness.

We didn't learn anything. We are doomed.

Re:This makes sense (2, Insightful)

Reason58 (775044) | more than 4 years ago | (#30149156)

If the content is trusted then requiring the user to get root privileges is just a security risk (key-loggers). I do hope, however, that they had to foresight to require specific permissions to allow users to install signed packages. I don't want my guest users installing every signed package and filling my HDD.

Signed doesn't mean bug-proof. Everything a user installs is just one more attack vector.

Re:This makes sense (2, Insightful)

msclrhd (1211086) | more than 4 years ago | (#30149432)

And installing random stuff is an easy way to destabalise a system.

What... I want to install kubuntu-desktop on this ubuntu-desktop machine. (Yes, I know the issue is in Fedora, but the same principle applies.)

Re:This makes sense (5, Informative)

fluch (126140) | more than 4 years ago | (#30149162)

No, it does NOT make sense. It creates a new security risk: If some malicious software (runing under with normal user privileges) notices that a hackable software is missing on the computer (one which has a known security vulnerability to gain root access) it can now install this package without problem and gain root access later on.

A sudo approach like done in Ubuntu is much better.

Re:This makes sense (3, Insightful)

jim_v2000 (818799) | more than 4 years ago | (#30149500)

It makes perfect sense and entirely appropriate for home/personal use. If you're in a corporate environment, disable the feature.

Re:This makes sense (1, Insightful)

Anonymous Coward | more than 4 years ago | (#30149180)

If Ubuntu extended this right to every user who was in the admin group then I would have no problem whatsoever. It's just a question of not having to provide your password. FC providing it to all users? Easy DDOS, just install lots of stuff. Or what if they install SSHD on a machine that shouldn't have SSHD running? I bet the package sets it to start in all runlevels by default, meaning that users have the ability to open up huge security holes. Imagine a user thinking "I have an old version of package X that has a security hole, but I can install it since it's signed, and therefore gain r00t!"

Terrible idea, just terrible.

Re:This makes sense (5, Insightful)

Draek (916851) | more than 4 years ago | (#30149216)

So, you argue that this is a security measure to protect systems that are already compromised with keyloggers? I... see, right... *backs away slowly*

Re:This makes sense (4, Funny)

jim_v2000 (818799) | more than 4 years ago | (#30149336)

Guest users? That's good...everyone knows that Linux users don't have any guests.

Re:This makes sense (0)

Anonymous Coward | more than 4 years ago | (#30149348)

Lolwut

Re:This makes sense (1)

nine-times (778537) | more than 4 years ago | (#30149414)

If the content is trusted then requiring the user to get root privileges is just a security risk (key-loggers). I do hope, however, that they had to foresight to require specific permissions to allow users to install signed packages.

I could see having some kind of permission that can be set to allow particular users the rights to install signed packages without any additional administrative rights. That could be useful. However, I don't think it would make sense to have that right granted to non-admin users in the default case. It should be a right that the admin needs to specifically grant to users before it is allowed.

Re:This makes sense (1, Informative)

Anonymous Coward | more than 4 years ago | (#30149450)

Use your head man! If any single bug is found in any signed kernel driver anywhere ever, a piece of malware will auto-fetch the signed driver (or just come packaged with it), install the said buggy driver (no su access needed!), and promptly exploit it to gain root access for itself.
Any signed buggy driver will be a gaping security hole until it's signed status is somehow revoked - and until it is revoked, ANY program can use it to get kernel mode access. This has all the makings of an permanent security hole.

Re:This makes sense (1)

harlows_monkeys (106428) | more than 4 years ago | (#30149632)

I don't think you are supposed to have guest users. One of the Fedora guys said in the thread cited in the submission, saying why that is not a problem:

This assumes the user is different from a admin, which is not true for a personal desktop

Apparently, it hasn't occurred to him that some people actually have others living in the same household who might share the computer.

User-level package manager (4, Interesting)

EvanED (569694) | more than 4 years ago | (#30149092)

What I want is a package manager that will do installation to my own home directory -- basically the same as downloading the source and running './configure --prefix=$HOME/whatever && make install' but without the complete bitchness of dependency hell -- without any root privileges at all. Anyone know of one?

Re:User-level package manager (2, Funny)

AnotherShep (599837) | more than 4 years ago | (#30149138)

Have you tried just deploying with ClickOnce? Oh, wait, nevermind. :P

Re:User-level package manager (2, Informative)

Defiler (1693) | more than 4 years ago | (#30149236)

I know of one for Mac OS:
http://github.com/mxcl/homebrew/ [github.com]
It would probably not be much of a challenge to make that work on a Linux machine. That and a Linux tool for this probably already exists.

Re:User-level package manager (0)

Anonymous Coward | more than 4 years ago | (#30149534)

You can configure macports to install things into $HOME instead of the default ${prefix} (/opt/local)

Re:User-level package manager (1)

Nimey (114278) | more than 4 years ago | (#30149264)

Stow isn't quite what you want, but it's pretty close. I've used it for just about ten years for locally-compiled stuff.

Generally what I do is ./configure --prefix=/usr/local/stow/[PACKAGENAME-VERSION] && make && sudo make install, then cd /usr/local/stow and type "sudo stow [PACKAGENAME-VERSION]. Removal is a simple cd /usr/local/stow && sudo stow -D [PACKAGENAME-VERSION]. It doesn't worry about dependencies at all, and really all it does is make symlinks in /usr/local/bin, /usr/local/share, and so on.

It would be trivial to set up a ~/stow directory and use that instead of /usr/local/stow.

[PACKAGENAME-VERSION], such as nano-2.0.9.

Re:User-level package manager (1)

EvanED (569694) | more than 4 years ago | (#30149456)

It doesn't worry about dependencies at all...

So basically, what does it do to solve my problem?

It *does* solve a different problem I have with the Linux way of setting up packages, but I can just change '--prefix=/usr/local/stow/[PACKAGENAME-VERSION]' to '--prefix=$HOME/root' and then everything gets put in ~/root/bin, ~/root/lib, etc. as if ~/root were /usr. That's mostly how I have things set up, so it's a tiny problem in comparison to dependency resolution.

Re:User-level package manager (1)

FooBarWidget (556006) | more than 4 years ago | (#30149390)

Autopackage.

But it's not just the package manager. Applications have to be modified to specifically support $HOME installation (or, to be more exact, installation to arbitrary locations), and most Unix apps right now don't support this without hardcoding paths during compilation time. This is something which Autopackage tries to take care of too, by providing documentation and code for developers for writing relocatable apps.

Re:User-level package manager (2, Interesting)

EvanED (569694) | more than 4 years ago | (#30149504)

Autopackage.

Great for developers of programs, but from what I can tell, useless if I want to install something that someone wrote, which usually use the autotools.

Applications have to be modified to specifically support $HOME installation (or, to be more exact, installation to arbitrary locations), and most Unix apps right now don't support this without hardcoding paths during compilation time.

That's fine... whatever. I'd be perfectly happy with something like a userland emerge that compiled everything on demand.

Re:User-level package manager (0)

Anonymous Coward | more than 4 years ago | (#30149488)

Have you tried pkgsrc (http://www.netbsd.org/docs/software/packages.html)? It's the NetBSD package manager, but works on many operating systems. I use it for my Mac because I've had difficulties with fink in the past, and like that I can install to my home directory.

Re:User-level package manager (1, Informative)

Anonymous Coward | more than 4 years ago | (#30149584)

Nix (http://nixos.org/). You have to have your own glibc, though. As a bonus you can have a few of them without conflicts.

By the way, we allow non-root users to install software - any software. Now, the semantics is such that it doesn't really give user something he couldn't achieve by manually writing a binary: setuid wrappers and upstart jobs are enabled/disabled by root by a process similar to installing packages, but distinct enough. Yes, you can install sshd - you could download a statically compiled version with the same success.

Re:User-level package manager (1, Informative)

Anonymous Coward | more than 4 years ago | (#30149618)

Gobo rootless might be of interest?

http://www.gobolinux.org/?page=rootless [gobolinux.org]

Of course there isn't a problem (5, Insightful)

TSHTF (953742) | more than 4 years ago | (#30149108)

Certainly there can't be a problem here, says the Fedora team. According to the release notes [fedoraproject.org] , there are 15,000 packages which can be installed by these unprivileged users. That's a lot of fscking code -- surely some of it is poorly written. Consider this scenario: Package X suffers a critical {local, remote} root vulnerability. If the vulnerability isn't public, any local user (and maybe remote ones too!) has root. If the vulnerability is public, there is often a long window between downstream fixes and Fedora fixes. In either case, this is a security issue. The Fedora team really should have put this in the release notes and reconsider this implementation in the first place.

Re:Of course there isn't a problem (0)

RAMMS+EIN (578166) | more than 4 years ago | (#30149204)

How is allowing non-privileged users to install packages any more of a security risk than, say, letting them bring their own binaries to the system, or compiling their own binaries on the system?

At least the packages that are allowed to be installed are signed, which means _someone_ looked at them and approved them.

Re:Of course there isn't a problem (2, Informative)

Eric Smith (4379) | more than 4 years ago | (#30149274)

It's more of a risk because a package can install setuid binaries, or install config files in directories such that they that are used or interpreted by processes running as another user or root. Installing a package can do a lot more than you can do as an unprivileged user.

Re:Of course there isn't a problem (1, Insightful)

RAMMS+EIN (578166) | more than 4 years ago | (#30149496)

Ah, ok. That wasn't clear to me from the description.

So you're saying that a regular luser can install packages AS ROOT without needing to provide the root password, be a member of a specific group, etc etc? And thus, a regular, otherwise unprivileged user can write to directories normally only accessible to root, install suid root binaries, and overwrite configuration files?

Wow.

Just wow.

And nobody raised a big stink about it before the official release.

Incredible.

Re:Of course there isn't a problem (1)

TSHTF (953742) | more than 4 years ago | (#30149298)

Because the package management system runs as root, may install setuid files, or system daemons which contain vulnerable code; an unprivileged user cannot normally do this.

Sure - only signed packages can be installed - but signing a package won't make those pesky buffer overflow vulnerabilities go away.

Re:Of course there isn't a problem (2, Interesting)

Too Much Noise (755847) | more than 4 years ago | (#30149568)

At least the packages that are allowed to be installed are signed, which means _someone_ looked at them and approved them.

The thing that I would ask here is whether the user can install a specified older version of a given package. Say, for instance, install the original version from the main repository with a know vulnerability that is patched in the update repo.

Re:Of course there isn't a problem (1, Insightful)

Anonymous Coward | more than 4 years ago | (#30149250)

Worse than that, consider your same scenario where Package X suffers a critical vulnerability, but the sysadmin is on top of it so checks the system to make sure package X is not installed. Then the next day, random user or malicious user, installs package X without the sysadmin knowing.

Users should not get to be root. PERIOD (4, Insightful)

Jailbrekr (73837) | more than 4 years ago | (#30149132)

That is just silly. Users are users for a reason, and admins are admins for a reason. If users want to install software, they can use sudo.

Whoever approved that in the Fedora team needs a refresher in security.

Re:Users should not get to be root. PERIOD (0)

Anonymous Coward | more than 4 years ago | (#30149214)

What proportion of Fedora installations have the user and the admin as different people?

Re:Users should not get to be root. PERIOD (2, Insightful)

Jailbrekr (73837) | more than 4 years ago | (#30149272)

That is irrelevent. I suspect that a vast majority of Fedora users use standard non root accounts, and only use root for doing system maintenance or installing packages. To allow a non root user to in essence do root commands without prompting for a password just begs to be exploited. the risks that this default setup exposes far outweigh any benefits that may be gained. Is it really that hard to prepend your command with sudo?

Re:Users should not get to be root. PERIOD (0)

Anonymous Coward | more than 4 years ago | (#30149462)

So, does this mean that people distributing Linux malware can stop telling people to install it with sudo?

Re:Users should not get to be root. PERIOD (2, Insightful)

mweather (1089505) | more than 4 years ago | (#30149302)

What proportion have the admin and a hacker on a remote machine as the same person?

Re:Users should not get to be root. PERIOD (1)

natehoy (1608657) | more than 4 years ago | (#30149428)

In a corporate environment, this does make sense.

As a default, it doesn't, because if you're a corporation wanting to extend this authority you'll almost certainly want to spend some time configuring the trusted authority list so you can host "approved" applications on an internal server.

Fortunately, this is a policy setting and not a code change. RedHat should change the default back to "requires root", though, because anyone who wants to change this policy should know what they are doing and make the appropriate configuration changes to control (or not) the applications that can be installed.

Developers vs. Sysadmins (5, Insightful)

Anonymous Coward | more than 4 years ago | (#30149140)

Ah yes, the age-old struggle between developers and sysadmins bears yet more sour fruit.

After working as a sysadmin for 10+ years for several groups of Linux software devs, I realized that devs don't make good sysadmins, and vice-versa (in general).

Developer workstations are usually a mess of tweaks, customizations, hacks, extraneous libraries that they were "testing" three months ago, odd daemons, and all kinds of other crap. They would install new packages hourly - so all the better if they could do it without requiring root access to the servers.

Sysadmins on the other hand tend to be uptight control freaks who micro-manage every little thing. This is great when we're talking the company webservers, but when it comes to developer workstations, well... the devs weren't too happy about being locked down.

I guarantee you that this feature was requested/suggested by one or more developers on the team, who thought it'd make their lives easier. And I also guarantee you that most of the people against it are system administrators.

God, I'm glad I went back into Science.

Re:Developers vs. Sysadmins (2, Funny)

BlueParrot (965239) | more than 4 years ago | (#30149396)

God, I'm glad I went back into Science.

Science is vulgar compared to mathematics.

I bet you're even one of those dirty experimentalists, or even worse, a chemist!

Re:Developers vs. Sysadmins (3, Interesting)

HangingChad (677530) | more than 4 years ago | (#30149492)

After working as a sysadmin for 10+ years for several groups of Linux software devs, I realized that devs don't make good sysadmins, and vice-versa (in general).

We did okay in our office. We let the dev's admin their own machines and an actual sysadmin, like yourself, run the production environment. For the desktops users put in an install request and we installed the software for them. It wasn't that hard, we didn't get a lot of requests.

I don't see the conflict myself. Just by running CentOS dev machines and Ubuntu for commodity desktops, we were light years ahead on security without even doing a lot. As long as no one is staying logged in as root, there are much easier targets. It's kind of like the bear joke. We don't have to have bear proof security, just better security than the company next door.

What does this solve? (2, Insightful)

asv108 (141455) | more than 4 years ago | (#30149150)

I really don't understand the basis for this move. From a desktop usability perspective, having the gui password prompt for an elevated privilege such as a package install works fine. Its seemless in Linux and OSX. Not prompting for authentication for signed package installs is insanely insecure and borderline insane.

Re:What does this solve? (1)

jim_v2000 (818799) | more than 4 years ago | (#30149366)

Because of all the signed malware out there? This is a minimal security risk at the worst.

Re:What does this solve? (1)

asv108 (141455) | more than 4 years ago | (#30149522)

Its not about Malware, its about security risks in general. If a user installs an FTP server, thats a huge security risk. A signature on the package does nothing to negate the risk.

Re:What does this solve? (2, Interesting)

natehoy (1608657) | more than 4 years ago | (#30149638)

It depends on your environment. For an individual user, you'd want sudo or su and you'd want to be prompted for each install. And that's a good thing.

But in a large corporate environment, I might want to make a bank of internal applications available (similar to Microsoft's "Run Advertised Programs"). I could configure all of my corporate desktops to only recognize the signing authority of a repository I own, then any of my users can install anything they want off that repository. But installs of things not on the "approved" list and therefore in the repository require root access.

However, this configuration setting was still a Bad Move on RedHat's part. If a corporation wants to allow this, they'll probably also want to think about the list of signing authorities they want to use. So this should be OFF by default and if an administrator wants to turn it ON they'd need to take action (and would presumably know what they are doing and why).

What a mess... (4, Insightful)

interval1066 (668936) | more than 4 years ago | (#30149158)

The email trail even includes a query from a redhat developer asking why its such an issue. Incredible. I was going to quote some of that thread but the entire exchange is pretty funny, odd, and scary. Remind me to continue to not use RH, at least as a server.

Re:What a mess... (0, Flamebait)

sakdoctor (1087155) | more than 4 years ago | (#30149406)

I calculated the total cost of ownership of continuing to not use RH, and found it was too low,
so we stuck with windows.

Potential worm exploit (5, Interesting)

crow (16139) | more than 4 years ago | (#30149166)

Suppose someone wrote a worm that could get access to the system as a user. Then all they need is to find a signed package with a privilege-escalation bug, and whether it's installed or not, the malware could exploit it, gaining root access.

But apart from that, I can see where this would be nice from a single-user system standpoint.

Re:Potential worm exploit (1)

jim_v2000 (818799) | more than 4 years ago | (#30149376)

How does the worm get on the system?

Re:Potential worm exploit (0)

Anonymous Coward | more than 4 years ago | (#30149516)

Email.

Re:Potential worm exploit (0)

Anonymous Coward | more than 4 years ago | (#30149572)

The Fedora developers seem to believe that all desktop use cases are, in fact, single-user systems. It's almost as if they have never heard of family PCs, office computers, computer labs, sharing laptops with friends, etc. (It's surprisingly naive, almost cute!) And they've certainly never felt the wrath of a government information assurance officer. If they had, they'd know that desktop computers need to be just as secure as servers, but in a different way. With servers, all you have to do is keep the bad guys out. With desktops, you let the potential bad guys in but limit the damage they do.

SELinux (1)

bicho (144895) | more than 4 years ago | (#30149186)

Does it uses SELinux in any way? So that only a handful of users are able to install signed rpm packages?

This stinks... (0)

Anonymous Coward | more than 4 years ago | (#30149226)

This smells of a back door to me.

SCREW THAT (0)

Anonymous Coward | more than 4 years ago | (#30149228)

I'm going back to Slack!!!

oh wait.

I never left. /me smugly picks up tobacco pipe, and takes a few puffs...

YAY!!!! (4, Funny)

MightyMartian (840721) | more than 4 years ago | (#30149234)

Fedora, Now With The Power Of Windows!!!!

Tired of those pesky admin privileges. Tired of using superuser. Want everyone on your system to install what they like, even from websites that say "Install Me!", why Fedora 12 is here! Come on, don't be afraid. Flush forty years of basic security principles down the toilet!

Re:YAY!!!! (2, Insightful)

Disgruntled Goats (1635745) | more than 4 years ago | (#30149284)

And yet when Microsoft included UAC in Windows Vista to address this very complaint they only got lambasted by you same Linux people. What hypocrisy.

Re:YAY!!!! (2, Informative)

Anonymous Coward | more than 4 years ago | (#30149482)

Windows UAC was lambasted because the implementation was terrible.

Re:YAY!!!! (1, Informative)

Anonymous Coward | more than 4 years ago | (#30149508)

Microsoft got lambasted because the UAC started out as sudo from an alternate, evil universe not unlike bearded Spock's home. It got better after SP1 was released, but it still proves the adage:

Those who fail to learn from UNIX are doomed to re-implement it... poorly.

Re:YAY!!!! (0)

Anonymous Coward | more than 4 years ago | (#30149330)

Actually, no. It only allows to install packages that have been signed - so things in the fedora repositories.

And if any of them is insecure, then the "correct" fix is to fix the package to fix the insecurity.

Saying that, I can understand why someone may not want others to randomly install even signed packages, so maybe they should have limited this feature to updates only?

I fail to see the problem (1)

afed125 (1681340) | more than 4 years ago | (#30149238)

This change only applies to Fedora's desktop oriented spins, not the server versions, and it makes sense from an usability point of view. No user should be able to gain root access just by installing a signed package from a signed repository. It might be possible, but since Fedora controls all of those packages it should be easy to prevent that possibility. Overall, I think the increase in usability outweighs the security concern and definitely outweighs the argument of "expected unix behavior". This is someone's workstation or netbook, not a Vax in 1985 with 120 users on it.

Re:I fail to see the problem (1)

jimbobborg (128330) | more than 4 years ago | (#30149322)

You're a stinkin' developer, aren't you?

I don't get it... (1)

Junta (36770) | more than 4 years ago | (#30149326)

If it *is* a desktop scenario, then controlling it via sudo shouldn't be a problem. If you don't have sudo access, I don't see why you should get to install packages...

Second, a vulnerability is found in an apache package in fedora 12, and the repo is fixed, but vulnerable versions from release may be had by crackers. A fedora server with multiple users that doesn't happen to have apache installed is vulnerable to having the vulnerable package injected by an untrusted user.

Re:I fail to see the problem (1)

sheph (955019) | more than 4 years ago | (#30149540)

Well that would be fine if it were an option durring the install, but to make it default behavior seems like a bad idea. I think it's great to give users that choice, but it shouldn't be by default and there should be a flashing warning surrounding the option. We already have enough infected systems on the net, why make it easier?

Require Password Instructions (4, Informative)

BountyX (1227176) | more than 4 years ago | (#30149338)

Browsed through the list. Here are instructions to require a password for signed repo [wordpress.com] . I agree with many of the mailing list users, this is a very bad default and there seems to be an assumption of targeting the desktop, or single user environments...

Hmm... (3, Informative)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#30149354)

I'm not sure that this is a good default setting(though I would say that it is much more defensible for a desktop oriented distro, with the ability to turn it off; while it would be unsuitable for a server/corporate lockdown box setup). However, aside from the on by default/off by default question, I don't really understand what the big deal is.

Some people are freaking out, as though context-sensitive privilege escalation is some sort of ghastly betrayal of all that is UNIX and Good(tm). That seems frankly nonsensical.For example, good old Sudo does exactly that. If you are on the sudoers list, you can do some or all things as a different user(usually root) with just your own credentials. This is wildly useful, and is a routine part of a great many UNIX systems. In desktopish contexts, we've also had things like automounters for external storage, doing a limited amount of trusted stuff as root, for some years now. Not necessarily the thing for servers; but usually good for desktops.

I don't know whether this is a good default or not, and I'd certainly want to see it mentioned in the docs(assuming it isn't already, haven't checked). However, limited privilege escalation mechanisms, for performing a set of trusted actions, have been part of UNIX for years. Anybody who is merely blowing up about that, rather than about the defaults question, is being reactionary in a way that isn't even accurate.

Mandriva's rurpmi (1)

Zombie Ryushu (803103) | more than 4 years ago | (#30149358)

Mandriva had a function like this called rurpmi. (r as in "restricted") that would allow sudoers allowed only rurpmi to install (Signed) packages. I'm not sure if this is exactly the same thing.

It sounds scary... (0)

Anonymous Coward | more than 4 years ago | (#30149436)

but I don't know if it is. It makes sense for my computers when I am the admin and my three other users are friends and family. It does not make sense for computers where I have worked. Of course they used CENTOS or RHEL. Which I would have blithely updated before admins had a clue to say don't do that. It would have made reversion a nightmare. It might have fixed some problems but I don't know how many new problems it would have introduced. This does seem to be headed towards the Windows model of security which maybe a great strength for Windows but it is also its greatest weakness.

Stinks (0)

Anonymous Coward | more than 4 years ago | (#30149472)

This smells like a back door.

LOCAL USER ONLY, AND SIGNED PACKAGE ONLY (2, Informative)

QuoteMstr (55051) | more than 4 years ago | (#30149498)

There's something really, critically important here that everyone is missing:

ONLY LOCAL USERS CAN INSTALL PACKAGES

In other words:

IT ONLY MAKES A DIFFERENCE FOR USERS PHYSICALLY SITTING AT A MACHINE

That means that a random user can't ssh into your server and install packages. He has to actually be at the machine. And if he has physical access to the machine, he can just boot from a LiveCD.

Installing signed packages is a very low-risk operation. Yes, there are theoretical vulnerabilities, but in order for them to make much of a difference, you need the perfect alignment of coincidences that's really unlikely in practice.

This change allows users who can already compromise the machine given enough time do something very safe painlessly.

Re:LOCAL USER ONLY, AND SIGNED PACKAGE ONLY (2, Insightful)

Junta (36770) | more than 4 years ago | (#30149660)

Either that, or someone able to fool the checks for console ownership (one of the points in the email thread were that the checks weren't sufficiently robust for their comfort).

Every package from the project is signed. It doesn't 'lose' its signature just because a new rpm exists in the world somewhere that fixes a vulnerability. So a system that doesn't want to run 'extremeliabilityd' and opts not to install it at all, could be compromised anyway.

Why would one want to imitate the Windows 95 model for deployment security?

One way to root a Fedora install (2, Interesting)

mukund (163654) | more than 4 years ago | (#30149592)

Fedora accepts all kinds of packages. You could create a simple utility, like some netmask computation code, make it a trojan (add code which does what it's not intended to do as setuid root).. package it for Fedora. This can go completely unnoticed. As an upstream maintainer, I am pretty sure Fedora or any other distro does not review my project code more than a cursory glance to fix any compilation/integration issues.

User gets to be root user. It may not even be a user.. it may be a program of some kind that has access to your user account after exploiting a vulnerability in an app such as your web browser.

There are other ways to get root too, such as exploit other setuid binaries in any of the thousands of packages that Fedora ships in the Everything repo.

Letting users install packages (signed or not) on a system administered by root is a stupid decision.

Let's see who can speak more about this issue... (1)

icepick72 (834363) | more than 4 years ago | (#30149608)

.. the ./ community, or on the mailing list thread. Bets anyone?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>