< Changes
(initial change proposal) |
(fix asciidoc formatting) |
||
| Line 5: | Line 5: | ||
== Summary == | == Summary == | ||
rpm-ostree currently | rpm-ostree currently | ||
* allows all wheel users to do arbitrary changes to the system without a password prompt. This leads to scenarios like [https://github.com/rohanssrao/silverblue-privesc silverblue privilege escalation] | * allows all wheel users to do arbitrary changes to the system without a password prompt. This leads to scenarios like [https://github.com/rohanssrao/silverblue-privesc silverblue privilege escalation] (by default users are in the wheel group) | ||
* prevents nonwheel users from updating their systems, making many deployments impossible. | * prevents nonwheel users from updating their systems, making many deployments impossible. | ||
| Line 57: | Line 57: | ||
== Detailed Description == | == Detailed Description == | ||
Change the default rpm-ostree polkit rules to | Change the default rpm-ostree polkit rules to | ||
* allow refresh and update to all local&active users | |||
* do not allow other actions without a password prompt | |||
This fixes the mentioned privilege escalation vector and helps to work towards a system that is possible to use without wheel privileges. | This fixes the mentioned privilege escalation vector and helps to work towards a system that is possible to use without wheel privileges. | ||
| Line 108: | Line 108: | ||
Place the file in the override `/etc` directory: | Place the file in the override `/etc` directory: | ||
-- | sudo cat > /etc/polkit-1/rules.d/org.projectatomic.rpmostree1.rules <<EOF | ||
polkit.addRule(function(action, subject) { | |||
if ((action.id == "org.projectatomic.rpmostree1.repo-refresh" || | |||
action.id == "org.projectatomic.rpmostree1.upgrade") && | |||
subject.active == true && subject.local == true) { | |||
return polkit.Result.YES; | |||
} | |||
EOF | |||
It will also be active if there is an alternative in the `/usr` directory. | It will also be active if there is an alternative in the `/usr` directory. | ||
| Line 125: | Line 123: | ||
== User Experience == | == User Experience == | ||
Fedora Atomic | Fedora Atomic Desktop users are not meant to modify the core system more than needed. This change will set the correct barrier of requiring a password for system modifications. | ||
Nonwheel users will not notice anything, but a system automatically upgraded in the background is possible now. | Nonwheel users will not notice anything, but a system automatically upgraded in the background is possible now. | ||
Revision as of 18:35, 11 May 2024
Better rpm-ostree Permissions
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.
Summary
rpm-ostree currently
- allows all wheel users to do arbitrary changes to the system without a password prompt. This leads to scenarios like silverblue privilege escalation (by default users are in the wheel group)
- prevents nonwheel users from updating their systems, making many deployments impossible.
- Bug: #7
Upgrades
On the atomic variants, upgrading the system is not a privileged process. It can and will be automated and run in the background.
Updating the system atomically is rock solid and does not involve much risk. Instead if includes important security patches, so getting quick updates is a big priority.
System modifications
Meanwhile, modifying the base, changing to another ostree remote, layering, unlayering or removing packages from the base image, are all privileged actions.
Layering packages allows to install any RPM to the system base, which can include arbitrary executable code. Installing external RPMs is possible, which means there is no monitoring of their contents.
rpm-ostree can use external repositories including COPR, by placing them in /etc/yum.repos.d/.
rpm-ostree allows many more modifications of the core system like adding or removing kargs.
All these can infect a system with malware or render it unusable, thus these actions are privileged and require guarded privilege escalation.
Owner
- Name: Henning
- Email: boredsquirrel@secure.mailbox.org
I am happy for additional owners :D
Current status
- Targeted release: Fedora 41 (Backport to 40 highly advised)
- Last updated: 2024-05-11
- [<will be assigned by the Wrangler> devel thread]
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
Change the default rpm-ostree polkit rules to
- allow refresh and update to all local&active users
- do not allow other actions without a password prompt
This fixes the mentioned privilege escalation vector and helps to work towards a system that is possible to use without wheel privileges.
Please discuss if local&active needs to be a requirement, or if it may block remote users. Keywords VNC, RDP, Gnome remote login, ssh.
Feedback
@travier : Split the 2 changes into separate PRs
Benefit to Fedora
It makes the atomic variants secure against privilege escalation through unprivileged processes and users. Currently the atomic variants are extremely insecure, more insecure than any other Fedora variant.
It unbreaks automatic updates, which currently spit out constant errors when the user is not in the wheel group.
Thus it opens the possibilities for use in schools, for children, or any other area where admins may not be available, and users should not do changes to the system.
Scope
- Proposal owners:
- Other developers:
- Release engineering: #Releng issue number
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Community Initiatives:
Upgrade/compatibility impact
There will be no big changes. Privileged actions like rebase, install, cancel, rollback will from now on require a password.
If a wheel user enables automatic updates, these will also work in the background for nonwheel users.
GUI Stores: plasma-discover and gnome-software (with the integrations) were tested: updates work normally, gnome software also prompts for reboot
Both stores dont show RPM packages for installation (by default) but both display the repos used for system updates correctly.
How To Test
Place the file in the override /etc directory:
sudo cat > /etc/polkit-1/rules.d/org.projectatomic.rpmostree1.rules <<EOF
polkit.addRule(function(action, subject) {
if ((action.id == "org.projectatomic.rpmostree1.repo-refresh" ||
action.id == "org.projectatomic.rpmostree1.upgrade") &&
subject.active == true && subject.local == true) {
return polkit.Result.YES;
}
EOF
It will also be active if there is an alternative in the /usr directory.
User Experience
Fedora Atomic Desktop users are not meant to modify the core system more than needed. This change will set the correct barrier of requiring a password for system modifications.
Nonwheel users will not notice anything, but a system automatically upgraded in the background is possible now.
Dependencies
rpm-ostreegnome-software-rpm-ostreeplasma-discover-rpm-ostree
These projects will be affected:
- Fedora Atomic Desktops (Silverblue, Kinoite, Budgie Atomic, Sway Atomic)
- Fedora CoreOS
- Fedora IOT
Contingency Plan
The solution is simple and just needs to be merged, once it is decided upon and the PR is updated to the latest branch.
A backport to Fedora 40 should be done for the sake of security, as the current status is very insecure.
Documentation
Release Notes
Fix rpm-ostree's polkit permissions to allow upgrades for all users, and require a password for any system modifications.