The changes to package kit which allows non privileged users to install fedora signed packages without escalation privileges makes me glad I'm not a fedora user. There is just a crapton of potential for breakage and security abuse bundled in here and since I'm a reasonable fellow I will even supply some examples
Imagine if you will that a new zero day exploit is found in packageX.
This particular exploit is a local root exploit, but the package isn't
on the system, but fear not, there is currently no patched package
available. Easy-peasy..1..2..3;
Oh noes, a new firefox exploit allows arbitrary code execution. Cool, now a drive by exploit can install packages since it's running in the context of the authenticated use. Que forward to installation and exploitation of the installed package ftw! Now a malicious Russian named Igor has his claws in your kernel.
It doesn't even have to be a local exploit, there are a large number of packages that you wouldn't want your users running in an enterprise which they can now easily install and execute. Sure, you can change the behavior you say, BUT I shouldn't have to!
To be perfectly honest, I don't mind the package existing. However I think that like apache, it should default to secure practices, and if you wish to allow things like running apache as root you have to go out of the way and compile it with the -DBIG_SECURITY_HOLE flag.
- Install vulnerable package without being root
- Exploit package
- Install rootkit
- ????
- PROFIT!!!!
Oh noes, a new firefox exploit allows arbitrary code execution. Cool, now a drive by exploit can install packages since it's running in the context of the authenticated use. Que forward to installation and exploitation of the installed package ftw! Now a malicious Russian named Igor has his claws in your kernel.
It doesn't even have to be a local exploit, there are a large number of packages that you wouldn't want your users running in an enterprise which they can now easily install and execute. Sure, you can change the behavior you say, BUT I shouldn't have to!
To be perfectly honest, I don't mind the package existing. However I think that like apache, it should default to secure practices, and if you wish to allow things like running apache as root you have to go out of the way and compile it with the -DBIG_SECURITY_HOLE flag.
