Security testing: need for a security policy, and a security-critical package process
gene at czarc.net
Tue Dec 1 19:56:20 UTC 2009
On Tuesday 01 December 2009 13:56:51 Adam Williamson wrote:
> On Tue, 2009-12-01 at 12:47 -0500, Gene Czarcinski wrote:
> > I suspect that most commercial and government customers will be
> > interested in Red Hat Enterprise Linux rather than Fedora. But, Fedora
> > is the technology base on which future Red Hat Enterprise Linux releases
> > are built. The better Fedora is, the more confidence customers will have
> > the the Red Hat product.
> I agree. What I'm really worried about here, ultimately, is PolicyKit,
> and the way it permits a lot more grey areas than have been possible
> before. If you look at previous privilege escalation mechanisms, they're
> simplistic; whether you're using sudo or consolehelper or whatever,
> ultimately you either have a process run as root or as user. And it's
> pretty obvious what should run as root and what shouldn't; I don't
> remember there being any real serious debates about that, everyone
> pretty much reaches the same conclusions independently. The
> authentication question is equally simple: basically either the process
> just runs as root automatically (which everyone agrees should happen for
> as few processes as possible), or you have to authenticate each time -
> for Fedora, basically you have to type the root password, since we never
> really used sudo.
> Things like 'well, we can perform this one specific type of operation
> with this one specific type of authentication' just weren't possible.
> Now they are, so stuff like the PackageKit issue was bound to start
> happening. The things PolicyKit make possible really need some kind of
> coherent oversight, I think, and that is indeed something Red Hat
> Enterprise Linux will also need to address, so obviously from an RH
> perspective, it helps RH if Fedora develops some kind of policy for
> this. But I think it's necessary for Fedora anyway, regardless of RH.
What you are saying put more emphasis on getting a security policy written and
ratified by FESco. And you will also need some oversight of what the
developers are doing with respect to security and this security policy. The
QA process should catch the "oops" problems ... not those done intentionally
by a well-intentioned developer.
I do not know that much about PolicyKit and given my interests in security, I
probably need to learn about it. One thing that occurs to me is to wonder if
PolicyKit is using SELinux (see SELinux Users and Roles). If not, why not?
Regardless of how PolicyKit works, the default should be locked-down with an
easy-to-use sysadmin tool to provide configuration with the ability to open-
things-up in a controlled manner.
You should talk to the folks handling SELinux. My impression of them is that
they know what they are doing and may provide some insight into the PolicyKit
Fedora has come a long way since SELinux was first introduced. It would be a
shame if the enhanced security provided by SELinux was negated by PolicyKit.
A couple of other comments:
- No, I do not believe that regular users should be able to update or install
software globally without transitioning to an admin role ... they can put stuff
in their home directory but not globally.
- I agree with Smooge in one of the messages he wrote ... there are many users
who would like to run Fedora just like Windows95. That may be but that does
not mean that Fedora should follow that idea.
More information about the fedora-devel-list