Builtin Commands:
Manage installed apps and runtimes
install Install an application or runtime
update Update an installed application or runtime
uninstall Uninstall an installed application or runtime
list List installed apps and/or runtimes
info Show info for installed app or runtime
Running applications
run Run an application
override Override permissions for an application
make-current Specify default version to run
enter Enter the namespace of a running application
Manage file access
document-export Grant an application access to a specific file
document-unexport Revoke access to a specific file
document-info Show information about a specific file
document-list List exported files
Manage remote repositories
remotes List all configured remotes
remote-add Add a new remote repository (by URL)
remote-modify Modify properties of a configured remote
remote-delete Delete a configured remote
remote-ls List contents of a configured remote
Build applications
build-init Initialize a directory for building
build Run a build command inside the build dir
build-finish Finish a build dir for export
build-export Export a build dir to a repository
build-bundle Create a bundle file from a build directory
build-import-bundle Import a bundle file
build-sign Sign an application or runtime
build-update-repo Update the summary file in a repository
build-commit-from Create new commit based on existing ref
repo Print information about a repo
Help Options:
-h, --help Show help options
Application Options:
--version Print version information and exit
--default-arch Print default arch and exit
--supported-arches Print supported arches and exit
--gl-drivers Print active gl drivers and exit
-v, --verbose Print debug information during command processing
--ostree-verbose Print OSTree debug information during command processing
Please consider this question before making one-off throwaway accounts here, "Does this really need to be said, if I cannot say it with my real identity?"
Is it more important to you to get your comment posted, or is it more important that you aren't held to account for your statements?
The Polkit delegation is fine-grained. All it allows is managing packages.
Installing packages locally is a management nightmare from a systems administration point of view, and it does not fit the way package managers like APT and RPM work.
In most cases, a machine is used by a single user so it makes sense to allow global package installation, even if the user does not have root privileges.
You can also set up sudo so that it does not require your password for certain commands, that does not mean you are not still getting root to do a thing that requires root permissions.
It sounds like it has been made relatively "safer" but, the comment you linked says that it's the author's opinion it is a bad idea, because the user is doing something they are not allowed to undo. So you are getting root access, via policy.
Why do you need root access when you could just write the package contents out to a directory you control, and run them without any signatures or policy? (Or even with verifying signatures, why not I guess...)
I'm not asking you personally for a position on this, I'm just explaining how it's different... you are still taking root, only through a safety wrapper. The advantages to this that I can see are 1) the user is encouraged to install signed packages, and 2) the sysadmin is empowered to keep the user's installed packages up-to-date.
Those are maybe compelling, but I don't see major advantages. Give me something like rvm+bundler and I'll be a lot happier. (I don't really want sysadmin to have powers to do things that I can't undo, either!)
> You can also set up sudo so that it does not require your password for certain commands, that does not mean you are not still getting root to do a thing that requires root permissions.
The difference is, that this is configured by default on Fedora.
> Why do you need root access when you could just write the package contents out to a directory you control, and run them without any signatures or policy?
Because applications have their paths hard-coded all over the place. Also some packages (e. g. webservers running on port 80) wouldn't work without root anyway.
"By default" is just not very convincing for me. I know that RedHat has some very qualified people working for them, but the user is getting root and doing root things, regardless of whether or not they enter their password, or if the distro has deigned that it's OK.
RedHat has some very peculiar ideas about security, and I'm not saying that in a bad way. Someone decided that this was OK. In the same way, OpenShift (another RedHat product, their Kubernetes distro) decided that it was unsafe to allow users with "project admin" rights to create a DaemonSet within their own project.
After reading their position, I have to say I agree (DaemonSets run with a higher priority than ReplicaSet, so a malicious user could use their Project Admin privileges to swamp an entire cluster, preventing other pods from running. You need the Cluster Admin role for this.)
The fact this is configured by default, does not mean much to me.
If you trust Fedora to review every package for security vulnerabilities before it is signed and released, that's fine! You should, if you are using their distribution. My InfoSec group does not grant root privileges to non-root users without a good reason, and I am certain even explained properly, they would balk and groan about this policy. It is a potential avenue for privilege escalation, and the only reason it could be safe is because of the vigilance of Fedora team. That's convenient, but not very "belt and suspenders" in my opinion.
> applications have their paths hard-coded all over the place
This is open-source, if an application has a hard-coded path, it can be fixed. If it isn't open-source, I'd assume RH won't sign the packages. Good software remains portable by making these things configurable in a .conf or environment variable (and good upstream dev teams will accept patches to make their software more portable).
That is surely a problem as you have highlighted and good software shouldn't have hard-coded paths all over the place without reason. So we shouldn't optimize for that case.
> Also some packages (e. g. webservers running on port 80) wouldn't work without root anyway.
That is by design, that is why those are called privileged ports (<1024.) Maybe it is inconvenient, but how does allowing the user to install a web server as root and start listening on port 80, improve any part of this particular user story?
What exactly is your user going to do with a running web server listening on Port 80 when they still need to be added to httpd group (by root) or they can't write to /var/www, and what's the point of letting them install the package when they still can't make adjustments to /etc/httpd.conf without root access?
> My InfoSec group does not grant root privileges to non-root users without a good reason
This doesn't either.
> This is open-source, if an application has a hard-coded path, it can be fixed. If it isn't open-source, I'd assume RH won't sign the packages. Good software remains portable by making these things configurable in a .conf or environment variable (and good upstream dev teams will accept patches to make their software more portable).
> That is surely a problem as you have highlighted and good software shouldn't have hard-coded paths all over the place without reason. So we shouldn't optimize for that case.
I agree, but I guess it's a lot of work and that's why no one has done it yet.
Polkit works differently then sudo. With sudo, I configure which software a user is allowed to run as root (or another user). With polkit, I configure which privileges a user is allowed to take advantage of while running a particular piece of software.
The problem pointed out by Alert Logic is two fold. First of all, the default polkit configuration on many Unix systems (e.g. Ubuntu), does not require authentication. Secondly, the polkit configuration essentially just maps the "wheels" group, which is commonly used for sudo users, to the polkit "Admin". This gives users in the "wheel" group access to administrative functions, like installing packages, without having to enter a password.
The main risk is privilege escalation. With sudo, an attacker would have to enter the user's password after compromising a lesser user account in the wheel group. With polkit, all it takes is to install a package using the polkit tool "pkcon", which takes advantage of the loose polkit configuration to install packages.
"""
This is from 2014. What has changed since then? Maybe saying "the user gets root" is hyperbole, but the user gains a set of privileges to use in pkcon, via polkit, that they would not normally have. That is the definition of privilege escalation. It's just that in this case, it's hopefully done safely, and so "privilege escalation" does not necessarily carry the connotation of "security vulnerability." It's only one step away: a vulnerability is discovered in pkcon, and now it is an actual security vulnerability.
But you have some bridges to cross before you convince me that it is safe. My Debian systems don't have an equivalent route for users to escalate their privileges when they haven't been granted them explicitly by a system admin.
Edit: and here's a thread from 2009, when this was already the case
> It certainly seems like an easy path to a denial of service: just install everything and run the machine out of disk space.
So, it is already potentially unsafe for the very same reason that my earlier example, DaemonSet, is unsafe for mere project admin! It presents a clear path to DoS for users on any system that is remotely short on disk.
> I agree, but I guess it's a lot of work and that's why no one has done it yet.
If you think that configuring PolKit and SELinux properly for every system that needs to go outside of the policies that RH considers to be sane default, is not a lot of work... I can't really provide an example from inside of the last 10 years to refute that.
The RedHat mark has literally saved me from doing convenient-but-unsafe things at least dozens of times, this seems out of character for them. But it's been policy since at least 2009, and I haven't heard of it being used in any major breaches, so maybe it's actually not so bad.
> But they HAVE this privilege (installing packages) normally in Fedora, so it isn't privilege escalation.
They don't have permission to write files as root without the help of polkit and pkcon. They can write files as root with the polkit policy's help. Broadly, or not... intentionally, or not! As an outsider coming from another distro, I would argue that policy does not follow the "principle of least surprise."
Maybe long-time RH users are already not surprised, it looks like this is in no way a recent change.
> Or just create large empty files??
If you set up sensible per-user disk quotas, you will prevent this. But if the user can write new files to the disk that are owned by root via polkit, then that would enable them to circumvent your per-user disk quotas. They will not own the files that pkcon writes via polkit.
(For a second I was going to suggest it would be worse if they did own the file, because of setuid bits... but then I remembered where this conversation started, and what side of this debate I'm supposed to be on. ;)
Also a setuid bit on a file that you own would only enable you to escalate your privileges to... yourself. I'm sure any packages that have setuid bits are at the top of Fedora's security audit list, though... if you installed a package that installs a binary with setuid bits, that's another possible avenue for privilege escalation vulnerability that you did not have before PolKit opened the window for you.
> They don't have permission to write files as root without the help of polkit and pkcon. They can write files as root with the polkit policy's help. Broadly, or not... intentionally, or not! As an outsider coming from another distro, I would argue that policy does not follow the "principle of least surprise."
There are other services running which create files as root on other distros, too. Have a look in /tmp for example.
> If you set up sensible per-user disk quotas, you will prevent this.
If you are able to set-up per-user disk quotas, you're able to also change the policy.
>There are other services running which create files as root on other distros
Did the user affect the system to create those files?
Assume the user can't install packages, then they can't create these files. (Maybe they can flood them, by sending bad packets, but they don't create them. If a file is created in root's name, because of user activity, then I'd guess the user must have run some setuid program.)
If admin doesn't install some setuid program (or say, an ssh server), there won't be any root-owned file created containing a log of authentication rejects from the ssh server for the user to flood with error messages by sending bad packets.
Maybe the user did cause these files to expand, for example if they are access logs... but generally the only user access activities that are logged are those that are enabled somehow by the system admin.
What user process is creating files in /tmp owned by the root user? X11? Explained by setuid bit, and hardly ever anymore as the user is not responsible for starting gdm.
All I'm saying is, it is against the principle of least surprise for this pkcon to be the default configuration.
Is it true that users need to be in the "wheel" group for this configuration to affect them by default? If so, I withdraw my position. This is an obscure fact that I learned a long time ago, and everyone else should know (I gest) that "wheel" users are administrative users and they will be given opportunities to escalate their permissions (via sudo, or otherwise.)
If you are creating users in the wheel group and you don't know what that means, it's your fault when they get access you didn't mean to give them. If this policy applies to any local user regardless of wheel, then I guess my position stands.
Your argument is that users should know how the system works; I'm saying this system is different than others I've adminned.
If I read the manual in its entirety, then yes, I will know all of the quirks of the system. That's true. Naïvely though, I might have thought as a sysadmin that by configuring a disk quota, I had effectively put an actual cap on how much disk a user could consume.
I would be wrong, surprisingly! (It is surprising, if you haven't just finished having this conversation.) That is a violation of the principle of least surprise.
Please take a look at the nine section treatise on disk quotas from the RHEL7 manual:
Notice the conspicuous absence of any mention of polkit or pkcon? That is because nobody would think the system provides a way for unprivileged users to affect it in a substantial way that circumvents their disk quotas. They're not obviously related, so it is surprising that a default policy makes them related. (I'm not talking about methods that the users can maybe cause a flood in some logs, because log rotation is usually configured by default.)
You generally separate out any directory that has world/user writable directories and files into separate partitions explicitly to prevent resource exhaustion.
Allowing package installations in manner would be forbidden by any security standard.
It is a good default, surprises or unintended consequences aside. As a sysadmin, I don't really want to spend time installing packages for users that I trust with shell access, to require my assistance so they can install signed packages from the OS vendor in the default way.
The firewall is secure by default, and installing packages is not punching holes in it by default, so this is really not as surprising as I thought at first. The user can install packages and ask for my help to punch holes in the firewall, or edit configuration, if needed.
If it wasn't needed, they didn't need to waste any of my time or theirs, talking to me so I could do a visit and put my hands on the machine, give it my superuser password, just to add a new package with the default configuration. And that is a victory.
(I'm just not sure InfoSec group will like it. So let's not tell them.)
yum install --user <pkg>
And have the package expand in, say, ~/.local