From Fedora Project Wiki
m (add PRs and travier's comment on local and active dependencies)
m (change status to In Progress)
Line 38: Line 38:


== Current status ==
== Current status ==
[[Category:ChangeReadyForWrangler]]
[[Category:InProgress]]


<!-- Select proper category, default is Self Contained Change -->
<!-- Select proper category, default is Self Contained Change -->

Revision as of 20:02, 13 May 2024

Better rpm-ostree Permissions

Important.png
This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Summary

rpm-ostree currently

  • allows all wheel users to do arbitrary changes to the system without a password prompt. This leads to scenarios like silverblue privilege escalation (by default users are in the wheel group)
  • prevents nonwheel users from updating their systems, making many deployments impossible.

Upgrades

On the atomic variants, upgrading the system is not a privileged Action. It can and will be automated and run in the background.

The source where the updates come from is trusted.

Updating the system atomically is rock solid and does not involve much risk. Instead if includes important security patches, so getting quick updates is a big priority.

System modifications

Meanwhile, modifying the base, changing to another ostree remote, layering, unlayering or removing packages from the base image, are all privileged actions.

Layering packages allows to install any RPM to the system base, which can include arbitrary executable code. Installing external RPMs is possible, which means there is no monitoring of their contents.

rpm-ostree can use external repositories including COPR, by placing them in /etc/yum.repos.d/.

rpm-ostree allows many more modifications of the core system like adding or removing kargs.

Editing the source of updates (rebasing) is a privileged system modification and can make formerly trusted updates malicious.

All these can infect a system with malware or render it unusable, thus these actions are privileged and require guarded privilege escalation.

Owner

  • Name: Henning
  • Email: boredsquirrel@secure.mailbox.org

I am happy for additional owners :D

Current status


  • Targeted release: Fedora 41 (Backport to 40 highly advised)
  • Last updated: 2024-05-13
  • [<will be assigned by the Wrangler> devel thread]
  • FESCo issue: <will be assigned by the Wrangler>
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

Change the default rpm-ostree polkit rules to

  • allow refresh and update to all local&active users
  • do not allow other actions without a password prompt

This fixes the mentioned privilege escalation vector and helps to work towards a system that is possible to use without wheel privileges.

Please discuss if local&active needs to be a requirement, or if it may block remote users. Keywords VNC, RDP, Gnome remote login, ssh.

See these PRs:

Feedback

@travier : Split the 2 changes into separate PRs

@travier : Keep the dependency on local and active users

Benefit to Fedora

It makes the atomic variants secure against privilege escalation through unprivileged processes and users. Currently the atomic variants are extremely insecure, more insecure than any other Fedora variant.

It unbreaks automatic updates, which currently spit out constant errors when the user is not in the wheel group.

Thus it opens the possibilities for use in schools, for children, or any other area where admins may not be available, and users should not do changes to the system.

Scope

  • Proposal owners:
  • Other developers:
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Community Initiatives:

Upgrade/compatibility impact

There will be no big changes. Privileged actions like rebase, install, cancel, rollback will from now on require a password.

If a wheel user enables automatic updates, these will also work in the background for nonwheel users.

GUI Stores: plasma-discover and gnome-software (with the integrations) were tested: updates work normally, gnome software also prompts for reboot

Both stores dont show RPM packages for installation (by default) but both display the repos used for system updates correctly.

How To Test

Place the file in the override /etc directory: 


 sudo cat > /etc/polkit-1/rules.d/org.projectatomic.rpmostree1.rules <<EOF
 polkit.addRule(function(action, subject) {
   if ((action.id == "org.projectatomic.rpmostree1.repo-refresh" ||
     action.id == "org.projectatomic.rpmostree1.upgrade") &&
     subject.active == true && subject.local == true) {
       return polkit.Result.YES;
   }
 EOF


It will also be active if there is an alternative in the /usr directory.

User Experience

Fedora Atomic Desktop users are not meant to modify the core system more than needed. This change will set the correct barrier of requiring a password for system modifications.

Nonwheel users will not notice anything, but a system automatically upgraded in the background is possible now.

Dependencies

  • rpm-ostree
  • gnome-software-rpm-ostree
  • plasma-discover-rpm-ostree

These projects will be affected:

  • Fedora Atomic Desktops (Silverblue, Kinoite, Budgie Atomic, Sway Atomic)
  • Fedora CoreOS
  • Fedora IOT

Contingency Plan

The solution is simple and just needs to be merged, once it is decided upon and the PR is updated to the latest branch.

A backport to Fedora 40 should be done for the sake of security, as the current status is very insecure.

Documentation

Release Notes

Fix rpm-ostree's polkit permissions to allow upgrades for all users, and require a password for any system modifications.

Retrieved from "https://fedoraproject.org/w/index.php?title=Changes/better-rpm-ostree-permissions&oldid=709654"