Bug 1388034

Summary:	Bash/DNF Security Bypass
Product:	[Fedora] Fedora	Reporter:	customercare
Component:	PackageKit	Assignee:	Richard Hughes <rhughes>
Status:	CLOSED NOTABUG	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	high	Docs Contact:
Priority:	unspecified
Version:	23	CC:	jonathan, klember, ooprala, rdieter, rhughes, sheltren, smparrish, ville.skytta
Target Milestone:	---
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-10-24 10:00:00 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description customercare 2016-10-24 09:36:19 UTC

Description of problem:

it's possible to bypass the security around dnf, by entering known commands into bash, to let the package get installed, even if root would not allow it.

This should not be possible.


Version-Release number of selected component (if applicable):

bash-4.3.42-5.fc23.x86_64
bash-completion-2.1-8.20150513git1950590.fc23.noarch
dnf-1.1.10-1.fc23.noarch
dnf-conf-1.1.10-1.fc23.noarch
dnfdaemon-0.3.16-1.fc23.noarch
dnf-plugin-system-upgrade-0.7.1-1.fc23.noarch
dnf-yum-1.1.10-1.fc23.noarch
python2-dnf-1.1.10-1.fc23.noarch
python2-dnf-plugin-system-upgrade-0.7.1-1.fc23.noarch
python3-dnf-1.1.10-1.fc23.noarch
python3-dnfdaemon-0.3.16-1.fc23.noarch
python3-dnf-plugin-system-upgrade-0.7.1-1.fc23.noarch
yumex-dnf-4.1.6-1.fc23.noarch


How reproducible:


Sorry, systemoutput is in german, but you should catch the important part,
that the installtion is done without a password, but the erase is denied due to lack of root privileges.

[marius@eve ~]$ elinks  "https://www.stadehandball.de/?action=results&tabtype=0&file=ol-16-17.l98&st=8" 
bash: elinks: Befehl nicht gefunden...
Soll das Paket »elinks« installiert werden, welches den Befehl »elinks« bereitstellt? [N/y] y


 * Warten in Warteschlange... 
Die folgenden Pakete müssen installiert werden:
 elinks-0.12-0.47.pre6.fc23.x86_64	A text-mode Web browser
Mit Änderungen fortfahren? [N/y] y


 * Warten in Warteschlange... 
 * Warten auf Legitimation... 
 * Warten in Warteschlange... 
 * Pakete werden heruntergeladen... 
 * Daten werden abgefragt... 
 * Änderungen werden getestet... 
 * Pakete werden installiert... (packages get installed )
 
[marius@eve ~]$ dnf erase elinks
Abhängigkeiten sind aufgelöst.
================================================================================================================================================================================================================================================================================
 Package                                                       Arch                                                          Version                                                                       Paketquelle                                                    Größe
================================================================================================================================================================================================================================================================================
Entfernen:
 elinks                                                        x86_64                                                        0.12-0.47.pre6.fc23                                                           @fedora                                                        2.9 M

Transaktionsübersicht
================================================================================================================================================================================================================================================================================
Entfernen  1 Paket

Installationsgröße: 2.9 M
Ist dies in Ordnung? [j/N]: j
Transaktionsüberprüfung wird ausgeführt
Transaktionsprüfung war erfolgreich.
Transaktion wird getestet
Transaktionstest war erfolgreich.
Transaktion wird ausgeführt
Transaktionssperre kann nicht erhalten werden (angemeldet als: marius).
Fehler: Transaktion konnte nicht durchgeführt werden.
[marius@eve ~]$ 


Actual results:

root password is not asked to install a package

Expected results:

root password is asked OR the entire request context is skipped, because the user does not have admin rights.

Additional info:

The user "marius" is the "default" user to open the desktop session with, which means hes autologgedin.

Comment 1 customercare 2016-10-24 09:40:04 UTC

wasn't there "private" flag once, to set bugs as security sensitive?

Comment 2 Ville Skyttä 2016-10-24 09:47:02 UTC

I don't think this has anything to do with bash-completion, and I believe the command not found -> install bash hook is actually implemented in PackageKit, not dnf. Reassigning for comments if the described functionality is intentional (please re-reassign to something else if PK is not the correct component).

Comment 3 Rex Dieter 2016-10-24 10:00:00 UTC

It is by design for 'admin' users (members of wheel group), see:

https://fedoraproject.org/wiki/Privilege_escalation_policy

In particular,

"Add, remove, or downgrade any system-wide application or shared resource (packaged or otherwise), with the exception that for installing Fedora-signed packages from administrator-configured repositories, the requirement to ask for a password is waived for members of the wheel group who are local and active."