PolicyKit Proliferation is a Security Disaster in the making.
Daniel J Walsh
dwalsh at redhat.com
Thu Nov 6 17:04:45 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Currently I am aware of at least 4 "PolicyKit" apps in Fedora 10 with a
lot more on the way. I believe we are not treating these as the
security vulnerability that they represent. Now I do NOT believe there
is anything wrong with PolicyKit itself. The problems is in the apps
that are using it.
Lets take a look at system-config-services. This service comes up and
prompts me for the root password before I start and stop a service. That
is good, works just like it did when system-config-services used
consolehelper. Except for one problem, it defaults to a clicked
"Remember authorization" meaning the next time I run
system-config-services it will NOT prompt for the password. Now there
is a check box for "This session only" But it is defaulted to off also.
So this means that I clicked "Start A service" Entered the "Root
Password" and took the default. Now any process on my desktop has the
ability to start and stop any service on my machine without me even
knowing about it???? There also might be a bug in
system-config-services communications with dbus that would allow me to
spawn a root shell.
This is the equivalent or worse then a setuid app, and yet we do nothing
to control the proliferation of these apps, while we shut down all apps
that setuid!!!!
All PolicyKit app that requires the Admin Password should default to
"For this Session Only", and potentially for this action only.
Consolekit only preserved the authentication for 5 minutes, by default,
now we preserve it for ever by default. The argurment can be made that
consolehelper used to be allowed to permanently save the user being
allowed, but this involved an admin editing a file and probably a better
understanding of what he is doing.
SELinux can help a little to mitigate the risk but SELinux is not going
to be running everywhere. And for something like
system-config-services, SELinux can do almost nothing since the tool
needs to start and stop all services which is a pretty high level of
security.
Fedora Security team should be looking at all packages that get
PolicyKit integration to make sure they are secure, have the correct
PolicyKit authorization, and a security check should be put on the
service side of the app. I think we should write lint apps to look at
PolicyKit specifications and look for vulnerable xml policy. Rpmlint
and RPMDiff should run this to make sure apps are secure by default.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkkTI6wACgkQrlYvE4MpobM/cgCdHDl8UwPJEfgi0Kg0bJ4U4zKS
KpEAoJUrIvU2fFCSazlTwYPTKuLx5YjT
=HLnc
-----END PGP SIGNATURE-----
More information about the Fedora-security-list
mailing list