Bug 470329 - PolicyKit has insecure defaults
PolicyKit has insecure defaults
Product: Fedora
Classification: Fedora
Component: PolicyKit (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: David Zeuthen
Fedora Extras Quality Assurance
: 470330 (view as bug list)
Depends On:
Blocks: F10Blocker/F10FinalBlocker
  Show dependency treegraph
Reported: 2008-11-06 13:57 EST by Daniel Walsh
Modified: 2013-03-05 22:57 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-11-13 14:25:42 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Daniel Walsh 2008-11-06 13:57:45 EST
Description of problem:

You should default to not save for the session and only for this session buttons.

Administrators should be forced to click retain for the session and turn off only for this session.

That way clicking the ok button is not insecure by default.
Comment 1 Nils Philippsen 2008-11-07 08:13:26 EST
*** Bug 470330 has been marked as a duplicate of this bug. ***
Comment 2 Nils Philippsen 2008-11-07 08:16:46 EST
I can specify that I want the authorizations for my actions retainable
forever, for the session or not at all (depending in whether or not the
user is in a session, whether it is active or not, etc.). To my
knowledge, there is no way I can say that it should offer the
possibility to retain, but not select it by default, and this is
intentionally so, see
for the reasoning.

If it is possible to specify defaults different from that I'd like to
learn about it.

Changing component to PolicyKit.
Comment 3 Daniel Walsh 2008-11-07 08:42:57 EST
Nils I talked to Jon Blandford and David Z and we came to the conclusion that you should just give them the right to hold to the end of the session.

Admin Authentication

I think is the correct.  So I run system-config-*, I give the Root Password, and when system-config-* exits I loose the authentication, requiring me to reauthenticate next time I run the app.
Comment 4 Will Woods 2008-11-12 12:59:26 EST
Does this require policy changes, or code changes as well? Has anyone crafted a patch to policy/etc. for this?
Comment 5 Nils Philippsen 2008-11-13 10:26:15 EST
This requires policy changes, not code.

As it is now, for potentially harmful operations (i.e. something that changes the system instead of only retrieving information), I don't consider it safe to retain authorizations (be it for the remainder of the session or else) so I've changed the default policy for both -services and -samba to "auth_admin" which ties the authorization to that specific process. New versions have built or are building right now and I'll try to get them in for f10-final.

This still needs some scrutiny from the PolicyKit POV, i.e. what to do about {user,admin}_keep_{session,always}.
Comment 6 Will Woods 2008-11-13 12:42:38 EST
Daniel, is this bug specifically about system-config-{samba,services} defaulting to retain authentication permanently? Can we close once we have builds for those two packages?

If not - when does this stop being a blocker for F10 release?
Comment 7 Will Woods 2008-11-13 14:02:49 EST
Tags requested for new s-c-{samba,services} packages. Moving to MODIFIED.
Comment 8 Daniel Walsh 2008-11-13 14:19:21 EST
Yes this is specific to the two packages.
Comment 9 Will Woods 2008-11-13 14:25:42 EST
Good deal. Packages built, signed and tagged:

Comment 10 Nils Philippsen 2008-11-14 04:44:01 EST
(In reply to comment #8)
> Yes this is specific to the two packages.

No, it's not: I changed the PK default policy for both from auth_admin_keep_always to auth_admin only as a workaround. Using auth_admin limits the authorization to a specific running process and seemed the only sane way to save users from inadvertently opening up the ability to manipulate services/samba to every program the user is running (we were talking about malware in that context).

At the moment, auth_{user,admin}_keep_{session,always} don't make much sense to me because either an action is innocent enough to not require any more credentials than already being in an authenticated session, or if it's not, it's to dangerous to keep the authentication because there's no way to keep potential malware from abusing it.

Shall I open up a new Bugzilla for that or can we just recycle this one? This is something that should be solved by F11/RHEL6.
Comment 11 Nils Philippsen 2008-11-14 04:45:30 EST
"...it's to dangerous to keep the authorization..." obviously
Comment 12 Bill Nottingham 2008-11-14 11:11:56 EST
New bug, please.
Comment 13 Kevin Kofler 2008-11-14 19:07:18 EST
Always this security paranoia... If people want to retain their authorization forever, they should be allowed to (no matter how insecure it is), it's their system (or else they can't authenticate with the root password in the first place!).
Comment 14 Daniel Walsh 2008-11-17 15:48:00 EST
There is nothing preventing them from going in and doing just what you want.  They can log  in as root, run with no password.  I don't care.

But we Fedora, should not make it easy for them to do this by mistake.

Note You need to log in before you can comment on or make changes to this bug.