PolicyKit Proliferation is a Security Disaster in the making.

Kevin Fenzi kevin at tummy.com
Mon Nov 10 23:03:43 UTC 2008


On Thu, 06 Nov 2008 12:04:45 -0500
Daniel J Walsh <dwalsh at redhat.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Currently I am aware of at least 4 "PolicyKit" apps in Fedora 10 with
> a lot more on the way.  I believe we are not treating these as the
> security vulnerability that they represent.  Now I do NOT believe
> there is anything wrong with PolicyKit itself.  The problems is in
> the apps that are using it.

I see 19 packages that drop files in the policykit dir... 

argyllcms-0:1.0.3-1.fc10.x86_64
ConsoleKit-0:0.3.0-2.fc10.x86_64
control-center-1:2.24.0.1-9.fc10.x86_64
DeviceKit-disks-0:002-0.git20080720.fc10.x86_64
DeviceKit-power-0:001-2.fc10.x86_64
GConf2-0:2.24.0-1.fc10.x86_64
gnome-applets-1:2.24.1-1.fc10.x86_64
gnome-lirc-properties-0:0.3.1-1.fc10.noarch
gnome-panel-0:2.24.1-3.fc10.x86_64
gnome-system-monitor-0:2.24.1-1.fc10.x86_64
hal-0:0.5.12-12.20081027git.fc10.x86_64
libvirt-0:0.4.6-3.fc10.x86_64
NetworkManager-1:0.7.0-0.11.svn4229.fc10.x86_64
PackageKit-0:0.3.9-4.fc10.x86_64
pulseaudio-0:0.9.13-6.fc10.x86_64
system-config-samba-0:1.2.66-1.fc10.noarch
system-config-services-0:0.99.25-1.fc10.noarch
thinkfinger-0:0.3-8.fc9.x86_64

> Lets take a look at system-config-services.  This service comes up and
> prompts me for the root password before I start and stop a service.
> That is good, works just like it did when system-config-services used
> consolehelper.   Except for one problem, it defaults to a clicked
> "Remember authorization" meaning the next time I run
> system-config-services it will NOT prompt for the password.  Now there
> is a check box for "This session only"  But it is defaulted to off
> also.

Is that default in the app config? Or in PolicyKit itself?
Ah, looks like the app, so thats bad. :( 

> So this means that I clicked "Start A service" Entered the "Root
> Password" and took the default.  Now any process on my desktop has the
> ability to start and stop any service on my machine without me even
> knowing about it????  There also might be a bug in
> system-config-services communications with dbus that would allow me to
> spawn a root shell.
> 
> This is the equivalent or worse then a setuid app, and yet we do
> nothing to control the proliferation of these apps, while we shut
> down all apps that setuid!!!!
> 
> All PolicyKit app that requires the Admin Password should default to
> "For this Session Only", and potentially for this action only.
> Consolekit only preserved the authentication for 5 minutes, by
> default, now we preserve it for ever by default.  The argurment can
> be made that consolehelper used to be allowed to permanently save the
> user being allowed, but this involved an admin editing a file and
> probably a better understanding of what he is doing.

Perhaps a few minutes and something like when the screensaver starts it
automatically removes all current auths?

> SELinux can help a little to mitigate the risk but SELinux is not
> going to be running everywhere.   And for something like
> system-config-services, SELinux can do almost nothing since the tool
> needs to start and stop all services which is a pretty high level of
> security.
> 
> Fedora Security team should be looking at all packages that get
> PolicyKit integration to make sure they are secure, have the correct
> PolicyKit authorization, and a security check should be put on the
> service side of the app.   I think we should write lint apps to look
> at PolicyKit specifications and look for vulnerable xml policy.
> Rpmlint and RPMDiff should run this to make sure apps are secure by
> default.

Yeah, I agree.

I was going to suggest that this discussion should take place on an
upstream PolicyKit list, but I can't seem to find one anywhere. ;( 

kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-security-list/attachments/20081110/1de570c6/attachment.sig>


More information about the Fedora-security-list mailing list