Unprivileged updates for Fedora Atomic Desktops
Summary
We want to update the Polkit rule currently controlling access to the rpm-ostree daemon on Fedora Atomic Desktops to do the following:
- Enable users to update the system without being an administrator or typing a password.
- Restrict the current rule for administrators to make more operations explicitly require a password.
Owner
- Henning, boredsquirrel@secure.mailbox.org
- Timothée Ravier, siosm@fedoraproject.org
Current status
- Targeted release: Fedora Linux 41
- Last updated: 2024-10-24
- Announced
- Discussion thread
- FESCo issue: #3223
- Tracker bug: #2296277
- Release notes tracker: #130
Detailed Description
This change tries to address two issues:
- Give more users the permission to update their systems as this should be an entirely safe operation on Fedora Atomic Desktops.
- Silverblue already automatically update the system and Flatpaks by default and Kinoite is looking at doing it as well: https://fedoraproject.org/wiki/Changes/KDEKinoiteAutoUpdateByDefault
- We will thus enable all active and interactive users to update the system without being an administrator or typing a password.
- Note that this is only about system updates (and repo metadata updates) and no other operations.
- Reduce access to the most privileged operations of rpm-ostree for administrators to avoid mistakes.
- The current setup is not directly a security issue as it only allows those operations for users that are part of the wheel group and thus assumed to be administrators.
- However, some of those operations can be more dangerous than others so we should ask the administrator to confirm them or let them do it via
sudo
. - Operations such as changing kernel arguments, installing a local package, rebasing to another image, etc. will thus be removed from the current Polkit rule and will now require the administrator password, similarly to calling it via
sudo
. - Only the install/uninstall packages from the repos, upgrade, rollback, cancel and cleanup operations will remain password-less, to match the behavior on package mode Fedora with dnf.
See:
- https://gitlab.com/fedora/ostree/sig/-/issues/7
- https://github.com/rohanssrao/silverblue-privesc/issues/4
- https://bugzilla.redhat.com/show_bug.cgi?id=2203555
Initial work in:
- https://src.fedoraproject.org/rpms/fedora-release/pull-request/324
- https://src.fedoraproject.org/rpms/fedora-release/pull-request/325
Feedback
Nothing here so far beyond comments in the PRs, which have mostly been addressed.
Benefit to Fedora
This change will make it easier to setup a Fedora system with non-administrator (unprivileged) users that can still update the system without administrator intervention. Note that major version upgrades (rebase operation) will still require privileges (or an administrator password) for now. This is due to a limit of the current rpm-ostree interface.
This is also a step towards the goals of the Confined Users Special Interest Group (SIG).
Scope
- Proposal owners:
- Implement the change in the polkit rules
- Validate that this changes works on all Fedora Atomic Desktops (notably with GNOME Software and Plasma Discover)
- Other developers:
- Developers depending on the current polkit rules might have to adapt their software. We don't know of any software impacted right now.
- Release engineering: N/A (not needed for this Change)
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with the Fedora Strategy: Not specificaly
Upgrade/compatibility impact
This change does not remove any interface so it should not have any impact for users on upgrade. If some of the now "password-full" operations were used previously, they will now ask for a password.
If administrators previously disabled or overwrote the current polkit rules, then they might have to update their override for the new behavior.
Early Testing (Optional)
Do you require 'QA Blueprint' support? No
How To Test
- Write the following file:
/etc/polkit-1/rules.d/org.projectatomic.rpmostree1.rules
polkit.addRule(function(action, subject) { if ((action.id == "org.projectatomic.rpmostree1.repo-refresh" || action.id == "org.projectatomic.rpmostree1.upgrade") && subject.active == true && subject.local == true) { return polkit.Result.YES; } if ((action.id == "org.projectatomic.rpmostree1.install-uninstall-packages" || action.id == "org.projectatomic.rpmostree1.rollback" || action.id == "org.projectatomic.rpmostree1.reload-daemon" || action.id == "org.projectatomic.rpmostree1.cancel" || action.id == "org.projectatomic.rpmostree1.cleanup" || action.id == "org.projectatomic.rpmostree1.client-management") && subject.active == true && subject.local == true && subject.isInGroup("wheel")) { return polkit.Result.YES; } if (( action.id == "org.projectatomic.rpmostree1.install-local-packages" || action.id == "org.projectatomic.rpmostree1.override" || action.id == "org.projectatomic.rpmostree1.deploy" || action.id == "org.projectatomic.rpmostree1.rebase" || action.id == "org.projectatomic.rpmostree1.bootconfig" ) && subject.active == true && subject.local == true && subject.isInGroup("wheel")) { return polkit.Result.AUTH_ADMIN; } });
- Test that normal / unprivileged users can only do the following operations without a password:
- Update the system:
rpm-ostree update
- Refresh the metadata:
rpm-ostree refresh-md
- Update the system:
- Test that admin / privileged users can do the following operations without a password:
- Install a package from the official Fedora repos:
rpm-ostree install strace
- Cancel an in-progress transaction:
rpm-ostree cancel
- Rollback to a previous version:
rpm-ostree rollback
- Reload the daemon:
rpm-ostree reload
- Cleanup pending or rollback deployments:
rpm-ostree cleanup
- Install a package from the official Fedora repos:
- Test that admin / privileged users are asked a password for the following operations:
- Install a local RPM package:
rpm-ostree install ./foo.rpm
- Override replace a package:
rpm-ostree override replace vim-x.y.z.rpm
- Deploy a specific version:
rpm-ostree deploy 40.20240518.1
- Rebase to any version:
rpm-ostree rebase ...
(try with Kinoite on Silverblue, etc.) - Change kernel argments:
rpm-ostree kargs --append=foo=bar
- Install a local RPM package:
User Experience
This change should be mostly transparent for users.
If some of the now "password-full" operations were used previously, they will now ask for a password.
Unprivileged users will be able to update the system.
Dependencies
The rules are shipped as part of the fedora-release
RPM. There are no other dependencies.
Contingency Plan
- Contingency mechanism: (What to do? Who will do it?)
- We can revert the change to the
fedora-release
package at any time. - Will be done by the change owners.
- We can revert the change to the
- Contingency deadline: Beta freeze or final freeze
- Blocks release? No
Documentation
We will document how to disable those new rules or restrict more operations using polkit.
Release Notes
On Atomic Desktops, the policy controlling access to the rpm-ostree
daemon has been updated to:
- Enable users to update the system without having elevated privileges or typing a password. Note that this change only applies to system updates and repository meta updates; no other operations.
- Reduce access to the most privileged operations (such as changing the kernel arguments, or rebasing to another image) of
rpm-ostree
for administrators to avoid mistakes. Only the following operations will remain password-less to match the behavior of the package mode Fedora with thednf
command:- install and uninstall packages
- upgrade the image
- rollback the image
- cancel transactions
- cleanup deployment