[opensuse] Allowing local users to install software via polkit/packagekit results in unsigned packages being installable
Dear list-subscribers, my fellow IT administrators and I are considering the option of allowing our users to install additional software present in already added, official repositories or software that is signed with already trusted keys. We are in the process of updating all clients to openSUSE 13.1. To get this functionality, we changed a file in /etc/polkit-1/localauthority and set ResultActive to yes (instead of auth_admin) for org.freedesktop.packagekit.package-install -only-. (I'm not 100% sure about the filename as I have limited access to our test environment right now) We changed nothing for org.freedesktop.packagekit.package-install-untrusted, leaving it to ask for the root password before installing "untrusted" software (as far as I understood polkit). Sadly, a freshly installed system (via autoyast, mostly vanilla with KDE4 pattern) with the mentioned change seems to allow our users to install arbitrary rpm packages. We tested this by downloading a few RPMs from random, not openSUSE related websites, and by trying to install this package http://download.opensuse.org/repositories/home:/AndSee/openSUSE_13.1_Update_... which is signed with a key that shouldn't be trusted by default. I'm not entirely sure what to do at this point to circle in on the problem. We don't want users (or exploits...) to be able to install unsigned packages. As we are using autoyast, we aren't ruling out that our current autoyast.xml-file might alter some opensuse settings permanently, but from our understanding, settings described there should only apply to the "live-system" used to install the system. Relevant part of autoyast.xml: <general> ... <signature-handling> <accept_file_without_checksum config:type="boolean">false</accept_file_without_checksum> <accept_non_trusted_gpg_key config:type="boolean">false</accept_non_trusted_gpg_key> <accept_unknown_gpg_key config:type="boolean">false</accept_unknown_gpg_key> <accept_unsigned_file config:type="boolean">false</accept_unsigned_file> <accept_verification_failed config:type="boolean">true</accept_verification_failed> <import_gpg_key config:type="boolean">true</import_gpg_key> </signature-handling> </general> Any pointers are greatly appreciated, especially to official documentation for packagekit/polkit if they describe install-packages and install-packages-untrusted in detail. Andreas -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, Mar 12, 2014 at 04:58:42PM +0100, Andreas Seeg wrote:
Dear list-subscribers,
my fellow IT administrators and I are considering the option of allowing our users to install additional software present in already added, official repositories or software that is signed with already trusted keys. We are in the process of updating all clients to openSUSE 13.1.
To get this functionality, we changed a file in /etc/polkit-1/localauthority and set
ResultActive to yes (instead of auth_admin) for org.freedesktop.packagekit.package-install -only-. (I'm not 100% sure about the filename as I have limited access to our test environment right now)
Interesting that this worked, as polkit has dropped the localauthority backend and only does javascript rules now.
We changed nothing for org.freedesktop.packagekit.package-install-untrusted, leaving it to ask for the root password before installing "untrusted" software (as far as I understood polkit).
I have a hard time finding how PackageKit internally decides that its "untrusted". I however think that the PackageKit zypp backend might not be reporting this correctly.
I'm not entirely sure what to do at this point to circle in on the problem. We don't want users (or exploits...) to be able to install unsigned packages. As we are using autoyast, we aren't ruling out that our current autoyast.xml-file might alter some opensuse settings permanently, but from our understanding, settings described there should only apply to the "live-system" used to install the system.
You will probably need to ask our zypp gurus :/
Any pointers are greatly appreciated, especially to official documentation for packagekit/polkit if they describe install-packages and install-packages-untrusted in detail.
The exact meaning seems lacking. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
To get this functionality, we changed a file in /etc/polkit-1/localauthority and set
ResultActive to yes (instead of auth_admin) for org.freedesktop.packagekit.package-install -only-. (I'm not 100% sure about the filename as I have limited access to our test environment right now)
Interesting that this worked, as polkit has dropped the localauthority backend and only does javascript rules now. My bad. I just remembered a way to get my hands on our current autoyast-scripts and we aren't actually editing a file in /etc/polkit-1/..., we just do:
I have a hard time finding how PackageKit internally decides that its "untrusted".
I however think that the PackageKit zypp backend might not be reporting this correctly. So the zypp backend might wrongfully report the same for packages that are signed, unsigned, or signed with an unknown key, resulting in apper (I'm pretty sure it was apper, but I'll get my facts straight as soon as
echo "org.freedesktop.packagekit.package-install no:no:yes" >> /etc/polkit-default-privs.local /sbin/set_polkit_default_privs in a post-script (autoyast). We aren't adding org.freedesktop.packagekit.package-install-untrusted, though, so from what I gathered on the net users shouldn't be able to install unsigned software, but they are. (I'm guessing that org.freedesktop.packagekit.package-install shouldn't allow the installation of foreign packages because https://bugzilla.redhat.com/show_bug.cgi?id=534047 describes that it was added as a default in fedora 12 to allow users to install software as non-root, but only from trusted repositories. And because package-install-untrusted wouldn't be very useful if package-install already covered all packages :) ) possible, sorry) installing them because it has no way of knowing that the package is untrusted?
You will probably need to ask our zypp gurus :/ Do they frequent this list, too?
Thanks for your help, Andreas -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (2)
-
Andreas Seeg -
Marcus Meissner