Fedora and package install privileges

Old news I guess, but Fedora 12 will revert to Fedora 11 style package installation privileges which will prompt for the root password. Fedora 13 should implement the idea fully.

There was a “feature” in Fedora 12 which let any user install software which was digitally signed without needing the root password. It’s not as bad as it sounds – packages which are digitally signed from Fedora are safe. This might make sense on single user machines, but on those in schools and the like it could be bad as students could install whatever they liked.

Owen Taylor provides an excellent overview of why this change was introduced. Essentially, constantly prompting for the root password does not enhance overall security as it teaches users to not read what they are being asked and just blatantly type in the password.

He says:

The end effect of putting up a lot of dialogs.. is that you are training users to blindly enter the root password and hit OK, *not* something that enhances the overall security of the system.

There is an obvious better way to do this, which is to figure out what the appropriate roles are for the system: adminstrative users, non-adminstrative users, etc., and let the person maintaining system decide who gets what role.

So, David Zeuthen did a major redesign of PolicyKit to move it from the old “remembered permissions” policy, to a model where users could be assigned different roles.

This is what prompted the changes in PolicyKit and I think it’s a great innovation. Unfortunately, it’s not yet complete and hence we saw the “issue” emerge in F12.

He goes on to say (emphasis mine):

The idea was that the change in PolicyKit would be accompanied by a default set of roles, and a nice user interface for assigning users to roles. Unfortunately, with the constraints of time, it became clear that this all (and especially the GUI) wasn’t going to be there for Fedora 12. So, PackageKit needed a fixed policy for all users. For each action (install signed packages, install unsigned packages, remove packages, etc.), it needed to allow, deny, or ask for the root password.

Among the decisions Richard made was allowing all users to install signed packages from the Fedora repositories. This was clearly the right behavior for the common case of a single-user system, where the only user is also the administrator. And it seemed pretty safe: Fedora isn’t supposed to have packages in it that are dangerous to install. (For example, by policy, all network services must be off by default and not enabled by simply installing a package.)

He then goes on to explain why that “probably wasn’t the best choice” and plans for the future.

For Fedora 12, a PolicyKit update is available which reverts to the old method of needing the root password. For Fedora 13 we should see the feature completed which should make everyone more happy.

-c

Leave a Reply

Your email address will not be published. Required fields are marked *