Users howl as Fedora 12 gives root to unwashed masses
This story was updated about 11 hours after it was published to reflect that Fedora developers have reversed course. Operating system users once again will be required to enter a root password before installing software packages. Fedora users are revolting against a change introduced in the latest version of the operating …
Even MS has been trying for years to get their 3rd party devs to wake up to the fact that it isn't 98 any more and these sort of things need to be locked down.
Although MS apparently have the patent on dialogs that ask for admin passwords, so maybe this is a ploy by RedHat to not get sued by Microsoft for having an admin request dialog box popup!
Come on though, even Ubuntu, which is targetted at the great unwashed always asks for an admin account password before allowing you to install software. I thought Fedora asks for root password when you install it, Ubuntu locks up root account, unless you deliberatly unlock it. Heck, it even asks you for an admin account trying to start the app that installs the apps!
I read the discussion and the 'hey its only a desktop OS' comment was really an eye-opener, imagine if Microsoft made similar comments about Windows.
The obvious use-case is a family home with parents and various kids. If I'm the admin do I really want my kids by default to have unlimited ability to install any signed app from the repository?
The administrator has to hope that every single application in the repository is bug free and doesn't have an priv escalation exploits. As far as I can see, all it takes for any Fedora 12 installation to be compromised is for someone to discover a hole in any of the apps in the repository.
"Fedora developers participating in the online discussion have so far defended their action." That's a major problem in itself. It's major because they just don't get it. Not only do they not get it, but they are defending something they don't get.
Then they have dug their heels in, because can't bring themselves to admit it is so horribly wrong. No amount of polishing will change that turd into gold.
that will get interesting ...
No root password in Fedora 12 ? So just like Fedora 10 Live and Fedora 11 Live in fact ?
I think user customization of an existing Linux install is a grand idea, within limits. Just make sure that the software packages have nothing to do with the security of the system, or if they can affect security, make sure that the defaults are set to keep the system secure and can't be changed without root access. I could imagine a limited software repository full of useful, throwaway programs like Notepad or Scientific Calculators.
This is the piss poor type of decision that lead to MS Windows' "everyone runs as root because it's easier". Vista (and Vista++) have just started addressing this issue and Red Hat ('s testing ground) are heading away from it.
Utter stupidity.
Security > Convenience
"Fedora developers participating in the online discussion have so far defended their action."
This statement is untrue. A couple of Fedora developers who implemented this have defended it. The vast majority of Fedora developers on the fedora-devel-list have rightly said it's a stupid change (by upstream PackageKit and affecting all distributions that use PackageKit, it's *not* a change made by Fedora).
There's a big meeting on the issue tomorrow (Friday) night and likely it will be reverted.
So, being open works.
WHY???
Are they trying to match MS Windows security or something? It's got to be in the top 10 most stupid security-related changes ever!!
Anyone who needs proper Linux has long switched to "apt-get install light".
Richard Hughes - let that name ring in infamy in the Linux community for this comment: http://bit.ly/40H3Bg
"Fedora developers participating in the online discussion have so far defended their action."
This is something of an over-simplification, though not untrue, it implies that Fedora as a whole is not considering a response to this issue. That's not in fact the case.
This issue will be debated at the Fedora engineering steering committee meeting tomorrow. They have the authority to request changes to this policy if they decide that's appropriate. Or, they could decide that it's a sensible policy and accept it.
There's quite a lot of nuance to this issue; it's worth reading the entire bug thread before losing your cookies. Also worth reading http://docs.fedoraproject.org/release-notes/f12/en-US/html/sect-Release_Notes-Security.html , if you're using Fedora 12 and would like to change this policy; it explains how.
The Fedora project will be making an official statement about this issue quite soon, which will be published on the fedora-announce mailing list; please do keep an eye out for that.
I hope Richard 33 is correct, and this will be fixed quickly. But really, this is typical of the amateurish quality control that attends Fedora. It's a distro that's Not Ready For Prime Time, by design. The churn is incredible, and support goes poof after a year, including security patches, so everyone either upgrades to the latest unstable soup of cool packages once every 12 months or gets left behind.
Fedora reminds me of an aircraft designed, built, and operated by extremely bright seven-year-olds. It's quite an achievement, but I'd rather walk.
come on - give 'em a break ... at least they got root honestly.
to truly screw things up you need root access!
....of software titles on...Linux?
That 'users' would want to install.......
Really?
The change occurred in PackageKit, one of the many projects that feed into many Linux distributions, including Fedora. The change occurred without consultation or announcement with/to the Fedora "management team".
Personally, I think it was a bloody stupid call from Richard Hughes (who, as the saying goes, is "well known" to developers and users alike) - RH is the PackageKit developer. That's not to say that the rest of PackageKit is bad - the rest of it seems OK to me.
As was mentioned, the previous method of authenticating as root the first time, and optionally granting authentication to the user from that point on, worked just fine. Although the decision is not yet made, I suspect that the change will be reverted and pushed out in an update ASAP - at least I hope so.
Keep in mind, Fedora is a cutting edge distro - it will almost always lead the way, both good and bad - and it is not for the faint-hearted. To use Fedora on a server, you would have to have a very peculiar need and a lot of skill ... or be stark raving mad.
How would you regulate that? I mean there's no way to automatically look for exploits even if you've got the source code. Otherwise they wouldn't exist on Linux and Unix systems.
All it'd take is a bit of slightly dodgy code in a Notepad replica to eventually allow a malicious user to blow the system wide open.
The only way would be to either run all applications in a virtualised environment and not allow them access to localhost files or network applications. Which is far more work and hassle for the user than typing in whatever their root password is.
The Unix user security model is the correct way of doing things, especially if you're relying on a third-party repository. I'm not an expert- far from it, in fact- but couldn't you, with just a few lines of code run as root, change the DNS settings so that on an infected system the repository was at a different address? With that you'd be able to get the GUI to install whatever the hell you wanted.
"Come on though, even Ubuntu, which is targetted at the great unwashed always asks for an admin account password before allowing you to install software."
Er, no it doesn't. It asks for your *own* password, the same one you logged on with. And when you say root is "locked", I think the word choice is poor to say the least: You can't log in as root*, but you can do anything whatsoever with root privileges just by giving your own password, as opposed to a separate root password. It's no more secure against the user's malicious intent than Fedora 12, in fact considerably less so as you can do *anything* just by prepending the command with "sudo".
Child: Can I have a cookie?
Mum: No, you'll spoil your dinner.
Child: sudo Can I have a cookie?
Mum: OK, you're the boss!
Ubuntu has been unsuitable for secure multi-user deployment from day 1, by design.
*But you can get what amounts to a root shell just by typing "sudo bash".
See http://lwn.net/Articles/362986/
Please add a update note to the article.
Important note: the policy in question will be changed. Please see:
https://www.redhat.com/archives/fedora-announce-list/2009-November/msg00012.html
and:
https://www.redhat.com/archives/fedora-devel-list/2009-November/msg01445.html
Dan, it would be great if you could update the story to reflect this. Thank you.
havin_it: not to defend Ubuntu, but isn't that only the case for the _first_ user account, and user accounts beyond the first can't install packages via sudo? That's what I figured the default Ubuntu setup was, anyway. Do correct me if I'm wrong.
You must be referring to the initial account you create by default being in the /etc/sudoers file.
Anybody with a brain creates at least one regular use account for security reasons that is not in the sudoers file for everyday use (or simply sets the root password with a sudo passwd and then removes the initial user from the sudoers file) as well as doing a chmod 04750 /bin/su to help prevent regular users from escalating priviledges. I do agree for the default behavior is not good for non-tech users but don't slag the whole distro for something fixed in a few minutes.
At least with Ubuntu using sudo you have to
1. Be on the sudo-ers list
2. Know the account password
Hence on a desktop shared by parents and kids whereby the parent is a sudo-er, unless the kid knows the password to the account they can do fuck all. Better than Fedora 12 then.
After reading the "Roles and Policy" e-mail from David Zeuthan, I should probably wind back my criticism of Richard H. a tad ... although not quite all the way. It seems the PolicyKit control mechanism (kinda like a stop valve) was omitted from Fedora 12 because it's not finished, but the corresponding PackageKit functionality (kinda like a new high-pressure water main) was finished, so that got included. Result: uncontrolled package installations (and we all got hosed).
At least Paris understands that finishing together is usually best.
Waht is small, yellow ,and very, very, very scary ?
A canary with the root password.
linux does have this habit of coming up with astounding stupidity because some developer or other thinks it's a good idea. Putting pulseaudio in production now still isn't a good idea, but a year ago it was downright disastrous. Ripping out the VM and replacing it with something of beta quality in the mainline kernel was even more brilliant. Redhat too did manage to come up with distributions that caused stuff developed on them to be incompatible with everyone else (rh7.* and accompanying "custom" gcc). There are more, and now this one: A security policy framework that come with default policies that clearly show the developer has no idea what security is or how it should work.
The problem is actually a bit different than most of the commenters claim: One major tenet of unix has been user space separation, where one user could not (well, not easily) affect other users' use of the machine. So you could put binaries in your own home directory, but you couldn't install them for everyone else too. This change violated that on the grounds that the packages "are signed", as if that somehow prevents them from doing things the system administrator might not agree with.
If you accept that utter stupidity is the steady state of the universe, it's enheartening to see that loud howling by enough people still works on occasion. A lesson to be learned by governments the world over. It could reduce the need for revolutions.
The final release is an odd place to make such a design decision, surely?
Sorry, you're wrong. You need to have a 'administrator' account to be able to do software installs on Ubuntu (a least on the 8.04LTS I just dialed into), and even then it asks you to confirm your identity by entering your password - presumably to prevent a miscreant from using an admin's account when they're away from their desk (and haven't locked the screen - naughty).
On a normal users account the Add/Remove or Package Manager menu items don't even come up. And sudo use is blocked. So that's in no way like the daft change that this Fedora muppet is proposing - heck, even Windows 7 is better than that!
However stupid the idea, (and it _is_ pretty damn stupid), I will kind of leap to Fedora's defence by pointing out that most folks regard it as the Alpha to Beta stages of RHEL anyway. So hopefully that idea will get deep-sixed when the codebase moves into the RHEL tree.
not just any user can use sudo on Ubuntu, they have to be in sudoers file. Mostly this means that whoever installed the system is the default admin and when creating a new user account later on(if you use the gui) you must specifically select the admin user option in order to give the new account sudo privileges.
PRO TIP: Do some research before making an ass of yourself ;)
Reality check: what possible reason is there to require root privileges to install software? *None*.
1) I spend a lot of time writing, compiling, and running software. I almost *never* need to be root to do this.
2) Anyone can already install, and use, software on any Unix system without being root. The things you can't do are move your files to directories which you don't permissions for, or change the permissions on your files inappropriately. And that's good enough. The Unix *runtime* security model is just fine. If there are security flaws then you should concentrate on fixing them, not nannying the rest of us around.
3) When installing open-source software, I only need to be root to install in the "expected" locations (the 'make install' step); having root privileges simply allows me to move stuff to /bin, or wherever. Most of the time I build and install *without* root privileges.
4) In my industry, no-one installs vendor software in the "expected" locations (/usr, /bin, whatever). It all goes in a dedicated top-level directory. *Any* user can install there and run the software. It would be really, really, stupid to have 5 different versions from 10 different vendors cluttering up the standard paths, quite apart from the difficulty of selecting the required version.
5) When I've worked with customers who run Windows, no-one has ever stopped me from installing software without an admin password (although, if necessary, IT will just give me the admin password anyway). It would be crazy to stop trusted users installing software - IT would spend their whole lives running around installing things, and no-one would ever get anything done.
6) This sort of stupidity leads to real problems. On Windows, I can do transparent updates on, for example, Firefox. I don't think I can do this on Linux at all (or possibly I can if I run Firefox as root, but I'm certainly not going to do that). This is just plain dumb, and means that I always run an old Firefox on Linux; it's just too difficult to upgrade. Surely this is a *major* security vulnerability? I already have an implied contract with Mozilla; I trust them to send me non-malicious code. Unfortunately, some anal retard in the Linux world has decided that I'm not smart enough to undertake this contract, and that I need to be protected for my own good.
7) And so on.
If there's a specific problem with installing RPMs then *that* needs to be fixed. In the real world, the customer is king; it's this sort of blinkered thinking that has given Linux its 1% market share.
Exactly what I was thinking. I would have thought that Fedora, like most other major distros, should have a feature freeze where no new versions of a given package are introduced except for essential bug fixes.
This does fail from time to time - OpenSUSE introducing a dodgy KDE network manager in a late beta version of 11.1 comes to mind. I thought Fedora would be above that, though, especially as they aren't afraid to delay a release if they need to fix a critical bug.
But both OpenSUSE and Fedora, to their credit, are quick to fix major problems like this.
Ubuntu doesn't require the root password to install new packages (software for uninitiated), in fact they don't require the root password for anything, preferring to hand out root privileges to ordinary users by default.
Replying to Carlo Graziani:
I don't think Fedora is amateurish at all - in fact, if anyone is "amateur", it's the Ubuntu team for releasing frankly awful versions (9.04 was poor, 9.10 is a disaster). Fedora 11 is sweet and I'm about to install Fedora 12 (and the PackageKit "fix" hopefully!) and expect it to be just as good.
And if you don't like Fedora's cutting edge nature, get on the "slow train" with CentOS - much more conservative and updated far less often, but no doubt you'd complain that's it's not up-to-date enough! For home desktop distros, you really do want to be following close to the bleeding edge because of all the new hardware coming out.
For me, Fedora is the "best blend" Linux distro out there - it has innovations with every release (far more than Ubuntu does generally), it comes with sensible defaults/packages (this brief PackageKit fiasco excepted) and is updated regularly. I have no problem doing an annual upgrade of my default desktop (yes, I have been known to skip a Fedora release when I didn't like it) - heck, Windows has to be re-installed every 6 months to "clean it up" and at least Fedora major upgrades are totally free, unlike Windows.
"Fedora developers participating in the online discussion have so far defended their action. "
It's a sad day when Fedora developers start to think like Microsoft. MS is serious brain disease, in both senses of the word.
"Reality check: what possible reason is there to require root privileges to install software? *None*."
Well, then reality isn't obviously your strength, my friend.
In MS-systems everybody can look what other users have written or monitor their network traffic in real time, but in real OS'es that's a no-no, unless you are the root. Even machine owner isn't root by default. That's called security and 'need-to-know'-principle.
"Although Fedora is mostly known as a desktop OS, it's not unheard of for enterprises to use it to run servers. That's always been a questionable practice, but given the implications of Fedora 12's new feature, the security implications have never been higher."
Indeed. Am currently in the process of rebuilding/upgrading Fedora boxes to CentOS after a thankful change of policy/tack. I have no idea why someone thought using an OS that changes every 6-9 months whilst obsoliting previous versions was a go-er. Trying to find certain RPMs when someone has blown away an old Fedora install share is just a can of worms...
"On Windows, I can do transparent updates on, for example, Firefox. I don't think I can do this on Linux at all."
It always easier not to think than to know, isn't it? Obviously enabling automatic updates (exactly same option than in Windows) is too hard for you?
" This is just plain dumb, and means that I always run an old Firefox on Linux; it's just too difficult to upgrade."
No, it means you are too dumb to run Linux at all.
Okay so it's heresy but is it anything more than a snub to orthodoxy?
It may (possibly) foil an automated process but why is it inherently more secure for a user to have to type in a password?
If you deny them that password you're left with them having to ask someone if they want a new calculator installed, if you give it to them they can install what they like and not just from a signed repository.
It's this sort of rigid adherence to laudable but inflexible dogma that pushes big spending companies into the arms of Microsoft and their no doubt technically inferior, but massively more pragmatic, products for managing a large number of users with different requirements.
If there's only one account on the machine, and that account has root privs, then it's ridiculous to ask for a password. (Ie Unix/Linux distros are ridiculous when there's one user, or where all users are trusted.)
Passwords and usernames should be explicitly hidden away UNLESS the purchaser asks for them (because they need to protect the machine from certain users).
If I want Linux on my home PC, any Linux, and I don't need to protect it from anyone, then Linux has no business demanding usernames and passwords before doing what I tell it.
Imagine if your microwave had some pointless feature (like my PC does) where it allowed different users to log on (for different defaults and preferences, say) and then demanded a password before letting you do something it thought a was bit unusual? And actually refused to do it if you got the password wrong!
Muppets.
Remote processes attempting to run RPM or YUM on your machine (or perform any other sensitive action).
I'd rather be harassed for the root password than know that any idiot/robot could alter my core config or install/uninstall software and thoroughly fuck up my install.
The strength of *nix has always been that it made as few assumptions as possible. Claiming that Fedora is 'only a desktop OS' is an enormous assumption. They should not presume to know how the machine will be used.
> It always easier not to think than to know, isn't it? Obviously enabling automatic
> updates (exactly same option than in Windows) is too hard for you?
No. Most distro Firefoxs have automatic updates disabled, for exactly the reasons that Fedora uses to justify not allowing plain users to "install" software. The distro expects you to use their own update mechanism, but then conveniently forgets to inform you about security fixes, and also conveniently forgets to actually provide the new package. Google it.
Yes, I could sort this out by installing direct from Mozilla, into my home directory, and making sure that the appropriate directories have write permissions. But why bother? On Windoze, it Just Works.
And, of course, you can't update at all to Firefox 3 on RHEL4-vintage distros, short of carrying out the brain surgery required to turn it into RHEL5. Which would rather defeat the purpose of using a stable supported enterprise-level OS.
OK lads, consider dressing-down administered and received. Embarrassingly, I have installed Kubuntu for my GF and have played around with it a fair bit myself, but didn't know that secondary user-accounts would differ from the primary one in that you'd have to explicitly give them the same sudo-powers. For me (as for many other users, I suspect) it never came up.
On basis of this I take the point that it's not as bad as what Fedora was doing, but then neither is Windows. This to my mind puts Ubuntu at about the same place as Windows Vista and 7, since the unprepared single-user installer (er, like me) will breeze into an admin-level account without really being advised against using that same account day-to-day, though at least you have the prompts to alert you when a system-level operation is being attempted.
Yep, it's the one with Ubuntu For Dummies in the pocket...
The feature was actually in there in Beta (and, I think, Alpha). The problem is that packages in the development tree are not signed at that point in the process - they only start getting signed quite late, around RC freeze point. So no-one testing the Alpha or Beta noticed this because they were never installing 'trusted' packages, because none of the packages they installed were signed...and they were always asked to authenticate.
Hold on, I've got a phone call for you - fellow named Murhpy...:)
Run as root do what the hell you like in a tightly confined virtual machine on the host OS without damaging the host. Simples. Over to you linux
". I could imagine a limited software repository full of useful, throwaway programs like Notepad or Scientific Calculators."
I think that would be a great idea, not only for the convenience of installing simple programs, but because it would force a stronger intellectual separation between 'system-like' and 'user-like' applications.
Unfortunately, these days, even a replacement for 'cat' in Linux would probably be inextricably linked to 2 sound servers, three UI frameworks, SQLite, and LDAP.
@Displacement Activity
I was going to give you a reasoned critique of all the errors in your post... but I just cant be arsed as you are so obviously full of it.
I call bullshit.
But I cant help myself answering a few that are real howlers :P
>5) When I've worked with customers who run Windows, no-one has ever stopped me from installing software without an admin password (although, if necessary, IT will just give me the admin password anyway). It would be crazy to stop trusted users installing software - IT would spend their whole lives running around installing things, and no-one would ever get anything done.
LOL you obviously haven't worked for many large enterprises as they spend a lot of time and money locking down the user desktop so that the users gets what they are given and installing stuff yourself is a sacking offence.
Also they spend a bit on scanning for unapproved apps as well - so if you are a smug user who is sitting there thinking "I renamed it and put it elsewhere" - yeah we know and your manager & HR will be getting a report rsn.
>IT would spend their whole lives running around installing things, and no-one would ever get anything done.
LOL that is the absolute limit - laughed and laughed at that one.
They buy a Electronic Software Deployment program to do do this remotely you nugget.
>6) On Windows, I can do transparent updates on, for example, Firefox. I don't think I can do this on Linux at all (or possibly I can if I run Firefox as root, but I'm certainly not going to do that).
Well this is because the distro will look after this for you.
>This is just plain dumb, and means that I always run an old Firefox on Linux; it's just too difficult to upgrade. Surely this is a *major* security vulnerability?
No as they will push out a security update once they have checked it wont break things.
>I already have an implied contract with Mozilla; I trust them to send me non-malicious code. Unfortunately, some anal retard in the Linux world has decided that I'm not smart enough to undertake this contract, and that I need to be protected for my own good.
Yes lets take them in order:
>not smart enough
Check
>need to be protected for my own good.
Check
You have just proved all that from your comment. It could be that this is not _totally _ your own fault, as "Linux is not Windows" (TM) and it does take a little time to see the benefits.
Your distro has, very kindly, agreed to take this burden off you. That is unlike windows your distro will update Firefox for you, they will even test as well, add it to the repositories and digitally sign it so you know it is safe.
If you did want to update manually it is very easy - loads of guides out there.
If you don't know how and haven't bothered to learn - then you are the last person who should be doing it.
you should change your name to Cowboy_Dev as it would save us all some time... or not as you were very entertaining :)
Red Hat did this on purpose to expose more people to the wonders of PackageKit, it actually an awesome piece of software that could make admins lives much easier. I commend Red Hat/Fedora for thinking outside the box and making GNU/Linux better, they're willing to take heat if they think they're bettering the whole community. All these FotM Ubuntu tools smack talking Red Hat & Fedora need a history lesson in Linux development and research who maintains the majority of core packages.
/salute Fedora & Red Hat
Sign up, sign up for The Register's weekly IT security newsletter - click here
