[Bug 1882098] Re: Packagekit lets user install untrusted local packages in Bionic and Focal
Esko Järnfors
1882098 at bugs.launchpad.net
Thu Sep 3 09:00:42 UTC 2020
Thanks for triaging and investigating this, Julian!
A fix for at least the aptcc backend would be highly appreciated -- I'd
hope the other backends will fix this on their own if they care about
it.
The point of packagekit+policykit is to enable people to do (at least
somewhat limited) stuff without explicit root access -- otherwise you'd
just give them sudo rights and be done with it. In the current
situation, granting a user the right to install ("trusted") packages
actually grants them rights to place arbitrary files in the filesystem
and execute arbitrary code (package scripts) as root, which is at the
very very least highly misleading.
I took a cursory look at the earlier apt backend written in python
(which is now deleted from the packagekit tree) and it at least looked
like it had some logic to decide whether a package can be trusted or not
so it didn't seem like checking where the package is coming from would
be unprecedented.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to packagekit in Ubuntu.
https://bugs.launchpad.net/bugs/1882098
Title:
Packagekit lets user install untrusted local packages in Bionic and
Focal
Status in packagekit package in Ubuntu:
Triaged
Bug description:
We have packagekit configured to allow users to install trusted
packages from preconfigured repositories, but disallowed them to
install any untrusted packages.
The policykit configuration we use is following:
[tld.univ.packagekit]
Identity=unix-group:adm;
Action=org.freedesktop.packagekit.package-install;org.freedesktop.packagekit.package-reinstall;org.freedesktop.packagekit.package-remove;org.freedesktop.packagekit.system-sources-refresh;org.freedesktop.packagekit.system-update;org.freedesktop.packagekit.repair-system;
ResultAny=auth_self
ResultActive=auth_self
ResultInactive=auth_self
[tld.univ.packagekit-deny]
Identity=unix-user:*;
Action=org.freedesktop.packagekit.package-install-untrusted;
ResultAny=no
We would expect this to prevent users from installing local packages
downloaded from random repositories, however this does not seem to be
the case.
pkcon install-local random_package.deb will happily prompt for the
user to authenticate and will install the package, while pkcon
--allow-untrusted install-local random_package.deb will prompt for
root password, which the user does not have.
Our initial toughts was that the issue would be in packagekitd, but
after further investigations it looks like the issue could be in aptcc
backend.
We are more than happy to provide you with further details, but the
above should be enough to reproduce the issue.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1882098/+subscriptions
More information about the foundations-bugs
mailing list