Arch Linux

Aqa-Ib

Member

Registered: 2016-05-02

Posts: 8

Muon and "gnome-software" have root privileges on my system.

Hello,

I have installed Muon (plasma discover and muon updater) through the package "discover" in the community repository. Currently on my system the behaviour is that I can install new software with plasma discover and that I can upgrade the system with muon updater without entering the password for sudo or root. It has root privileges on my system without entering any password.

With "gnome-software" I can install software without entering the password too.
I don't know what is the backend of both gnome software and muon, but I think that it is packagekit. Maybe its packagekit who has root privileges.

Is this behaviour normal? or it only happens on my system?

Regards,
Aqa-Ib.

Last edited by Aqa-Ib (2016-08-16 23:28:59)

Stefan Husmann

Member

From: Germany

Registered: 2007-08-07

Posts: 1,391

Re: Muon and "gnome-software" have root privileges on my system.

I do not know the software, but I would guess it installs to your users's home-directory or some subdirectory there. Did you explore your home directory?

Aqa-Ib

Member

Registered: 2016-05-02

Posts: 8

Re: Muon and "gnome-software" have root privileges on my system.

I do not know the software, but I would guess it installs to your users's home-directory or some subdirectory there. Did you explore your home directory?

It installs the software to /usr/bin, etc, just like pacman -S does, and also upgrades the system's root files, like pacman -Syu does.

I think that this is a big security vulnerability, but I want you to confirm if it happens on your system too.

Regards.

Last edited by Aqa-Ib (2016-08-16 23:28:28)

Lone_Wolf

Forum Moderator

From: Netherlands, Europe

Registered: 2005-10-04

Posts: 11,922

Re: Muon and "gnome-software" have root privileges on my system.

Is your normal user a member of the wheel group ?

check /usr/share/polkit-1/rules.d/org.freedesktop.packagekit.rules

---

Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.

(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Aqa-Ib

Member

Registered: 2016-05-02

Posts: 8

Re: Muon and "gnome-software" have root privileges on my system.

Yes, my normal user is a member of the wheel group. I have checked that file and it seems OK as far as I can understand:

polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.packagekit.package-install" &&
        subject.active == true && subject.local == true &&
        subject.isInGroup("wheel")) {
            return polkit.Result.YES;
    }
});

The problem is that muon (discover) and gnome-software don't ask for the password and they have root privileges without it.

It is interesting that discover and gnome-software actually ask for the password when I try to remove some software.

Can anyone try discover or gnome-software on their system please?

Thanks.

Last edited by Aqa-Ib (2016-08-17 02:22:19)

Lone_Wolf

Forum Moderator

From: Netherlands, Europe

Registered: 2005-10-04

Posts: 11,922

Re: Muon and "gnome-software" have root privileges on my system.

That file causes the behaviour you see and is far from ok in my book .

both discover and gnome-software use packagekit to interact with your OS / package manager .
packagekit uses polkit to determine what privileges actions are run with.

Compare https://wiki.archlinux.org/index.php/Polkit#Globally with /usr/share/polkit-1/rules.d/org.freedesktop.packagekit.rules .

That rule results in allowing active & locally logged in members of group wheel to run "org.freedesktop.packagekit.package-install"
as admin without needing authentication (no password required) .

A simple test to find out if /usr/share/polkit-1/rules.d/org.freedesktop.packagekit.rules is indeed the cuplrit is to remove that file temporarily and check whether  discover/gnome-software now do ask for pasword on install actions.

---

Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.

(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Aqa-Ib

Member

Registered: 2016-05-02

Posts: 8

Re: Muon and "gnome-software" have root privileges on my system.

OK, you are right Lone_Wolf, removing that file now it asks for the password when installing software.

I think that the problem with upgrading the system without password is in this file:
/usr/share/polkit-1/actions/org.freedesktop.packagekit.policy
Section:  <action id="org.freedesktop.packagekit.system-update">
And change: <allow_active>yes</allow_active> to <allow_active>auth_admin</allow_active>
I think that this will solve the problem with upgrading, I will try when I have an upgrade.

May I report this issue as a security bug against packagekit? Or do you think that this issue doesn't compromise the security of the system?

Thank you Lone_Wolf.
Regards,
Aqa-Ib

Last edited by Aqa-Ib (2016-08-18 15:45:10)

Lone_Wolf

Forum Moderator

From: Netherlands, Europe

Registered: 2005-10-04

Posts: 11,922

Re: Muon and "gnome-software" have root privileges on my system.

Upstream seems to disagree with those settings being security bugs .

<action id="org.freedesktop.packagekit.system-update">
    <!-- SECURITY:
          - Normal users do not require admin authentication to update the
            system as the packages will be signed, and the action is required
            to update the system when unattended.
          - Changing this to anything other than 'yes' will break unattended
            updates.
     -->

Maybe packagekit devs are more interested in running ootb without user configuration  then in security.

Last edited by Lone_Wolf (2016-08-18 08:43:48)

---

Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.

(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Aqa-Ib

Member

Registered: 2016-05-02

Posts: 8

Re: Muon and "gnome-software" have root privileges on my system.

With that called change to /usr/share/polkit-1/actions/org.freedesktop.packagekit.policy, now it ask for password when upgrading the system.

It is confusing that there are two differents policies: one for upgrading the system and another for updating the system. I don't know what is the function of "org.freedesktop.packagekit.upgrade-system", because it is "org.freedesktop.packagekit.system-update" who upgrades the system.
--------------------------

<action id="org.freedesktop.packagekit.system-update">
    <!-- SECURITY:
          - Normal users do not require admin authentication to update the
            system as the packages will be signed, and the action is required
            to update the system when unattended.
          - Changing this to anything other than 'yes' will break unattended
            updates.
     -->

Well. So the developers of packagekit think that. But what do you think?
- Installing software from the repositories without entering the root password is a security issue or not?
- Upgrading the system without entering the root password is a security issue or not?

Last edited by Aqa-Ib (2016-08-18 21:46:10)

eschwartz

Fellow

Registered: 2014-08-08

Posts: 4,097

Re: Muon and "gnome-software" have root privileges on my system.

The important thing is that Ubuntu users should not have to be bothered with confusing password prompts. So obviously, this isn't a security issue.

Why would anyone ever feel the need to watch what a `pacman -Syu` does anyway, right?

...

Maybe the separate update/upgrade policies are for distros that have the concept of a dist-upgrade. Arch Linux doesn't have "versions" though.

---

Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Lone_Wolf

Forum Moderator

From: Netherlands, Europe

Registered: 2005-10-04

Posts: 11,922

Re: Muon and "gnome-software" have root privileges on my system.

But what do you think?
- Installing software from the repositories without entering the root password is a security issue or not?
- Upgrading the system without entering the root password is a security issue or not?

I think both are severe security issues.
In my opinion a program like packagekit should BY DEFAULT require admin authentication for every action that changes anything outside /home/$USER/ .
packagekit devs should implement that and provide example files with relaxed permissions for users/distros that prefer less secure but easier methods.
If packagekit devs don't do that, then AL packagekit package should correct that.

However, I'm just an AL user .
I've seen (and was involved in a few) too many security related bug reports (speaking in general, not just arch ) where upstream were treated as supreme beings that are always right.

If someone files a bug for this,i'll definitely vote for it/support it.

---

Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.

(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Aqa-Ib

Member

Registered: 2016-05-02

Posts: 8

Re: Muon and "gnome-software" have root privileges on my system.

OK, thank you very much Lone_Wolf.

Aqa-Ib

Member

Registered: 2016-05-02

Posts: 8

Re: Muon and "gnome-software" have root privileges on my system.

Here is the bug report:
https://bugs.archlinux.org/task/50459