

Fedora 12 - unpriviliged users can install packages?  - timf
http://lwn.net/Articles/362592/

======
Rantenki
Packagekit allows LOCAL users (who already have been given an account, by
definition) to install software.

More to the point, LOCAL users are likely to consist only of a single user,
ie: the owner of the machine, in a the vast majority of installs. If you want
a server, don't use Fedora. Fedora is bleeding edge redhat style desktop, end
of story. If you want to use fedora as a server, go ahead, just disable this
feature.

Is it so weird that the Fedora engineers wanted to make life a little less
painful for the kind of user that has no idea what sudo is, never mind the
wheel group, or how to configure PAM? I think we all fall into this trap
(myself included), where things we had to learn seem easy now. They aren't.
Not by a long shot.

Besides, Centos 5.4 is right over there. Right tool for the job folks.

~~~
there
i think the outrage stems from the fact that this is being introduced into a
distribution that many users are already using (or will be after a
release/upgrade) and is drastically changing the way it has always worked.

if a new desktop linux distribution were to come out touting this feature, i
doubt anyone would really care.

~~~
sgk284
Most of the fiasco, as most fiascos are, is caused by ignorance and not
understanding that PolicyKit gives this privilege only to people that are on
the machine locally. These are the same people that could reboot the machine
into single user mode and do whatever they want.

One analogy involved the fact that we already allow users to automount devices
and this is no different.

I congratualte Fedora on questioning the status quo.

~~~
tshtf
1) Right now I'm running Firefox locally in X11. If there is a code execution
vulnerability in JPEG parsing, for example, the shellcode could just install a
signed repo package with a root vulnerability. This potentially means the next
Firefox vulnerability is remote root on FC12.

2) You don't have to be at the console to inject code to install arbitrary
packages, but you do for mounting a drive.

3) There are good ideas behind policykit and packagekit, but the introduction
was mishandled. No mention was made in the initial release notes of this new
feature, and one could argue that the default policy isn't the best idea.
However, having the ability to define more finely-grained policies should get
two thumbs up.

~~~
ubernostrum
Except this is what bugs me about that huge fedora-dev thread: all the
proposed attacks seem to begin by assuming the attacker is already in a
position where they don't need this to own you.

And it's really hard to read that thread without getting the impression that a
lot of people are trying to take the security model and use cases of their
companies' production servers and apply them to personal desktop systems.

~~~
dhimes
No, the real concern is that someone who doesn't understand the issue as well
as "root" now can install software that has an exploit.

Ex: I have a server in my office. My kids use it for this and that. One of
them decides it's be cool to install the new TI->Ipod widget. Three days later
I'm unknowingly hosting pirated movies.

Edit: I made up the TI->ipod thing. Don't want to waste anybody's day!

~~~
ubernostrum
So, this raises the question of why you're running a desktop-oriented OS on a
server.

And as I said originally I think that's a big part of the problem: the server
security use case and the desktop security use case are not the same, and far
too much of the discussion has been based around the assumption that they are.
On a server, the idea that a non-root user can install packages is terrifying,
but on a desktop? Both the threat model and the use case are so wildly
different that I don't think it's possible to make any meaningful comparison.

~~~
dhimes
_So, this raises the question of why you're running a desktop-oriented OS on a
server._

As a staging area. The main reason for not using Fedora as a _production_
server is not that it is desktop oriented but that it updates too frequently.
Some of us (well, at least one of us) run(s) servers on our desktops as well.

~~~
ubernostrum
And it certainly seems to be easy to change the policy settings to disallow
people installing packages :)

I guess I'm just looking at this from the POV of Fedora really trying to be an
everyday desktop OS, where minimal pain in installing new software is a good
thing and Fedora's policies for trusted repositories and signed packages help
keep the risk minimal (yeah, somebody could sneak a backdoor into something in
a Fedora repo, but if they can do that they're interested in more than owning
your desktop machine).

~~~
dhimes
The way to success as an everyday OS isn't through bad policy, it's through
education and clarity. Put in the right policies but make them easy for the
end user to understand and change. Commands like "restorecon" suck (as an
everyday OS). But if, attached to a mv (or its gui equivalent) was a message:
"the default permissions for this directory are to make the file available to
X, Y, and Z. Would you like to make these files available, too?", it would
work.

Even better is a mv -yes (& gui equivalent) which does it automatically.

------
jrockway
I think this is a good feature. I am often on a client Linux box without root
and need something trivial like mg... but end up having to "install" from
source because I don't have permission to install the package. If I could do
that anyway, that would be good.

I also think packages should install into ~ like this, rather than into the
global system.

------
dhimes
My impression is that fedora isn't really for production boxes anyhow. We have
centos for that.

~~~
benbeltran
If the thing is allow more simplicity for regular users, I think this is OK,
unless someone finds a way to trick the system so it lets someone install
something that isn't signed, and someone will. Probably.

For boxes that need more security, this could be an opt-out feature.

I personally don't like it that much, but I think it's good for people who
don't want to think too much about it. But then again, people not thinking too
much about stuff is why spam is thriving.

