Re: Security Problem with "PackageKit-command-not-found" package
On Thu, Aug 25 2022 at 11:20:46 AM -, Sandipan Roy wrote: By this vulnerability any wheel user can install any packages without root access or sudo. Hi, this is actually by design and not a vulnerability. The wheel user is definitionally an administrator user, and can escalate from wheel to root without abusing any vulnerability. It might be more intuitive if you consider that wheel users have unrestricted access to sudo. So yeah, you can use PackageKit to install sqliteODBC or Sympa and abuse them to elevate privileges... or you could just run sudo and not bother, right? The JavaScript rule in question here actually has nothing to do with authorization, only with *authentication*. It disables the password prompt that forces the human sitting at the computer to authenticate. This means a local attacker with physical access to the computer -- e.g. a secret agent from the FBI or KGB or Mossad -- can install packages on your computer if you leave your desktop unlocked and walk away, or if they attack you with a hammer. But this has no effect on authorization. Notably, if the password prompt were required, it would be asking you for the password *to your wheel account*. Fedora's root account is locked by default anyway, with no root password and no way to authenticate as root. Since most Fedora users are not too worried about secret agents, the extra password prompt is annoying rather than useful. It's totally reasonable to skip authentication for users who *already* authenticated when logging into the desktop, right? Users who don't have wheel still have to authenticate as a user who does, or they won't be able to install anything. That said, there is a bug here, just not where you thought. Look at this comment: If that were true, then unprivileged users really could install vulnerable packages like sqliteODBC or Sympa and thereby elevate privileges. Fortunately, the comment is totally wrong as it doesn't match the actual security policy. Looking at the history of this file, it looks like this comment was correct when it was written on August 21, 2007, but the policy was changed to be more restrictive later the same day. Here is a pull request to fix it: https://github.com/PackageKit/PackageKit/pull/568 Michael ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Security Problem with "PackageKit-command-not-found" package
On 25/08/2022 13:20, Sandipan Roy wrote: I'm Sandipan Roy [FAS: ByteHackr], I wanted to share a serious system wide problem with PackageKit-command-not-found [1] package. Not a bug, but a feature. Members of the wheel group, also known as "admin users", can install any packages using PackageKit without entering their password. -- Sincerely, Vitaly Zaitsev (vit...@easycoding.org) ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Security Problem with "PackageKit-command-not-found" package
Some CVEs are appeared because of this issue, Details + Analysis found at: https://sysdream.com/abusing-packagekit-fedora-centos-for/ ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Security Problem with "PackageKit-command-not-found" package
Wheel user rule for packagekit $ sudo cat /usr/share/polkit-1/rules.d/org.freedesktop.packagekit.rules [sudo] password for sandipan: polkit.addRule(function(action, subject) { if ((action.id == "org.freedesktop.packagekit.package-install" || action.id == "org.freedesktop.packagekit.package-remove") && subject.active == true && subject.local == true && subject.isInGroup("wheel")) { return polkit.Result.YES; } }); ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Security Problem with "PackageKit-command-not-found" package
Hello World, I'm Sandipan Roy [FAS: ByteHackr], I wanted to share a serious system wide problem with PackageKit-command-not-found [1] package. Can you guys give some feedback if I can submit a system wide change proposal to remove this because its a poor system design. By this vulnerability any wheel user can install any packages without root access or sudo. Reproducer: Open up any bash terminal. Type in the name of a package that doesn't installed already (eg. nemo, irssi), I can reproduce in F36-KDE. In workstation not reproducible. Analysis: $ rpm -qf /etc/profile.d/PackageKit.sh PackageKit-command-not-found-1.2.5-1.fc36.x86_64 $ rpm -ql PackageKit-command-not-found-1.2.5-1.fc36.x86_64 /etc/PackageKit/CommandNotFound.conf /etc/profile.d/PackageKit.sh /usr/lib/.build-id /usr/lib/.build-id/86 /usr/lib/.build-id/86/7d08bc388e2cd2dbb8523e0a4662e19045bf4d /usr/libexec/pk-command-not-found $ which command_not_found_handle command_not_found_handle () { local runcnf=1; local retval=127; [[ $- == *"i"* ]] || runcnf=0; [[ ! -S /run/dbus/system_bus_socket ]] && runcnf=0; [[ ! -x '/usr/libexec/packagekitd' ]] && runcnf=0; [[ -n ${COMP_CWORD-} ]] && runcnf=0; [[ ! -x '/usr/libexec/pk-command-not-found' ]] && runcnf=0; if [ $runcnf -eq 1 ]; then '/usr/libexec/pk-command-not-found' "$@"; retval=$?; else if [[ -n "${BASH_VERSION-}" ]]; then printf 'bash: %s%s\n' "${1:+$1: }" "$(gettext PackageKit 'command not found')" 1>&2; fi; fi; return $retval } [1] https://fedoraproject.org/wiki/Features/PackageKitCommandNotFound#PackageKit_Command_Not_Found Thanks, Sandipan Roy Associate Product Security Engineer ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue