You are not logged in.
Hello,
I have installed Muon (plasma discover and muon updater) through the package "discover" in the community repository. Currently on my system the behaviour is that I can install new software with plasma discover and that I can upgrade the system with muon updater without entering the password for sudo or root. It has root privileges on my system without entering any password.
With "gnome-software" I can install software without entering the password too.
I don't know what is the backend of both gnome software and muon, but I think that it is packagekit. Maybe its packagekit who has root privileges.
Is this behaviour normal? or it only happens on my system?
Regards,
Aqa-Ib.
Last edited by Aqa-Ib (2016-08-16 23:28:59)
Offline
I do not know the software, but I would guess it installs to your users's home-directory or some subdirectory there. Did you explore your home directory?
Offline
I do not know the software, but I would guess it installs to your users's home-directory or some subdirectory there. Did you explore your home directory?
It installs the software to /usr/bin, etc, just like pacman -S does, and also upgrades the system's root files, like pacman -Syu does.
I think that this is a big security vulnerability, but I want you to confirm if it happens on your system too.
Regards.
Last edited by Aqa-Ib (2016-08-16 23:28:28)
Offline
Is your normal user a member of the wheel group ?
check /usr/share/polkit-1/rules.d/org.freedesktop.packagekit.rules
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
(A works at time B) && (time C > time B ) ≠ (A works at time C)
Offline
Yes, my normal user is a member of the wheel group. I have checked that file and it seems OK as far as I can understand:
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.packagekit.package-install" &&
subject.active == true && subject.local == true &&
subject.isInGroup("wheel")) {
return polkit.Result.YES;
}
});
The problem is that muon (discover) and gnome-software don't ask for the password and they have root privileges without it.
It is interesting that discover and gnome-software actually ask for the password when I try to remove some software.
Can anyone try discover or gnome-software on their system please?
Thanks.
Last edited by Aqa-Ib (2016-08-17 02:22:19)
Offline
That file causes the behaviour you see and is far from ok in my book .
both discover and gnome-software use packagekit to interact with your OS / package manager .
packagekit uses polkit to determine what privileges actions are run with.
Compare https://wiki.archlinux.org/index.php/Polkit#Globally with /usr/share/polkit-1/rules.d/org.freedesktop.packagekit.rules .
That rule results in allowing active & locally logged in members of group wheel to run "org.freedesktop.packagekit.package-install"
as admin without needing authentication (no password required) .
A simple test to find out if /usr/share/polkit-1/rules.d/org.freedesktop.packagekit.rules is indeed the cuplrit is to remove that file temporarily and check whether discover/gnome-software now do ask for pasword on install actions.
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
(A works at time B) && (time C > time B ) ≠ (A works at time C)
Offline
OK, you are right Lone_Wolf, removing that file now it asks for the password when installing software.
I think that the problem with upgrading the system without password is in this file:
/usr/share/polkit-1/actions/org.freedesktop.packagekit.policy
Section: <action id="org.freedesktop.packagekit.system-update">
And change: <allow_active>yes</allow_active> to <allow_active>auth_admin</allow_active>
I think that this will solve the problem with upgrading, I will try when I have an upgrade.
May I report this issue as a security bug against packagekit? Or do you think that this issue doesn't compromise the security of the system?
Thank you Lone_Wolf.
Regards,
Aqa-Ib
Last edited by Aqa-Ib (2016-08-18 15:45:10)
Offline
Upstream seems to disagree with those settings being security bugs .
<action id="org.freedesktop.packagekit.system-update">
<!-- SECURITY:
- Normal users do not require admin authentication to update the
system as the packages will be signed, and the action is required
to update the system when unattended.
- Changing this to anything other than 'yes' will break unattended
updates.
-->
Maybe packagekit devs are more interested in running ootb without user configuration then in security.
Last edited by Lone_Wolf (2016-08-18 08:43:48)
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
(A works at time B) && (time C > time B ) ≠ (A works at time C)
Offline
With that called change to /usr/share/polkit-1/actions/org.freedesktop.packagekit.policy, now it ask for password when upgrading the system.
It is confusing that there are two differents policies: one for upgrading the system and another for updating the system. I don't know what is the function of "org.freedesktop.packagekit.upgrade-system", because it is "org.freedesktop.packagekit.system-update" who upgrades the system.
--------------------------
<action id="org.freedesktop.packagekit.system-update">
<!-- SECURITY:
- Normal users do not require admin authentication to update the
system as the packages will be signed, and the action is required
to update the system when unattended.
- Changing this to anything other than 'yes' will break unattended
updates.
-->
Well. So the developers of packagekit think that. But what do you think?
- Installing software from the repositories without entering the root password is a security issue or not?
- Upgrading the system without entering the root password is a security issue or not?
Last edited by Aqa-Ib (2016-08-18 21:46:10)
Offline
The important thing is that Ubuntu users should not have to be bothered with confusing password prompts. So obviously, this isn't a security issue.
Why would anyone ever feel the need to watch what a `pacman -Syu` does anyway, right?
...
Maybe the separate update/upgrade policies are for distros that have the concept of a dist-upgrade. Arch Linux doesn't have "versions" though.
Managing AUR repos The Right Way -- aurpublish (now a standalone tool)
Offline
But what do you think?
- Installing software from the repositories without entering the root password is a security issue or not?
- Upgrading the system without entering the root password is a security issue or not?
I think both are severe security issues.
In my opinion a program like packagekit should BY DEFAULT require admin authentication for every action that changes anything outside /home/$USER/ .
packagekit devs should implement that and provide example files with relaxed permissions for users/distros that prefer less secure but easier methods.
If packagekit devs don't do that, then AL packagekit package should correct that.
However, I'm just an AL user .
I've seen (and was involved in a few) too many security related bug reports (speaking in general, not just arch ) where upstream were treated as supreme beings that are always right.
If someone files a bug for this,i'll definitely vote for it/support it.
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
(A works at time B) && (time C > time B ) ≠ (A works at time C)
Offline
OK, thank you very much Lone_Wolf.
Offline
Here is the bug report:
https://bugs.archlinux.org/task/50459
Offline