Home > Fedora 12 > Package Kit’s change means a change in the security posture of Fedora

Package Kit’s change means a change in the security posture of Fedora


I was floored when I learned that PackageKit now allows non-root non-remote non-root users to install signed software packages without being prompted prompting for the root password.  This is a major change to the security posture of the default install of Fedora.  While I don’t have a problem with the functionality, the functionality shouldn’t allow this kind of action by default.  Seth has posted instructions on how to secure the system from unauthorized changes by users.  The bug that was filed against PackageKit had a comment in it saying that this functionality was discussed 9 months ago.  I don’t know who this discussion involved but it would seem that the discussion wasn’t that wide or far reaching.  This would be one of those discussions that needed to touch a larger community.  PackageKit assumes that if Fedora signed the package that it must be okay.  I’d be willing to bet that an admin other computer owners would have a different opinion.  I’m just glad I found this out before upgrading systems at work.

FIX: There is a fix for this vulnerability listed in the Release Notes and the Security Guide. These documents will be updated as new information is released.

UPDATED: Added facts not in hand at the time of the original post.

Advertisements
Categories: Fedora 12
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s