Security and PackageKit This document is a brief overview of security policies and notes about security in the PackageKit project. It has been written by the PackageKit authors, and should not be treated as independent analysis. This document has been written as packagekitd is a system activated daemon running as the root user (uid 0), which means the package management system is run as root also. The daemon receives untrusted input from the client, which means the daemon is security sensitive. First, a high level overview, in this case using the yum backend as an example: gpk-update-icon gpk-application | _______/ [DBUS] __[DBUS]__/ | / packagekitd -- [DBUS] -- polkit-daemon-1 | [pipe] | yumBackend.py (using yum) packagekitd does not expose itself remotely over XMLRPC or other remote interface, and so a remote denial of service or exploit is impossible without a serious exploit of other services such as DBus. It advertises a simple interface that can be queried by clients in unprivileged and privileged modes. The privileged modes are controlled using PolicyKit, and policy and the authentication mechanism is deferred to the polkit-daemon-1 service. When a privileged method is executed, the daemon asks polkit-daemon-1 for authentication, which then blocks until the authentication is completed. This is handled asynchronously, and the daemon can process other requests whilst waiting for user input. The packagekitd daemon is started using DBus system activation, which means it is started without any environment (no PATH, etc) and therefore is impossible to exploit by preloading other libraries. It is also running as uid 0, and so requires root privileges to inject code into it. A typical transaction would be for the client to request a TID (transaction ID) to which the server responds by creating a transaction instance and exposing this on the system bus. The client then connects to this interface, and executes the chosen method. This method will emit signals such as ::Package(), then ::Finished() and then after a number of seconds ::Destroy() which will remove the interface from the bus. Attack vectors: * A client could cause a local DoS (denial of service) by repeatedly calling GetTid without then calling a method to use this TID. This is mitigated by timing out Tid request after a present number of seconds, and the effect can be limited with a config variable (SimultaneousTransactionsForUid). * Local DoS by repeatedly calling non-privileged methods such as Resolve and SearchName. This could be mitigated by limiting the number of requests per second for a certain seat, although no code has been written to do this at present. * A privileged method could be requested and then ignored or hidden by the window manager. This is mitigated by not blocking the daemon when processing authentication, and timing-out the authentication after a number of seconds if authentication credentials are not supplied. * Passing untrusted input to the backend which could be used to crash and exploit the underlying package system. This is mitigated by rejecting invalid input to methods, and testing filenames for existence before they are passed to the backend. * A session service can be written to automatically authenticate methods, and replace the native client. This is hard to mitigate, as as soon as you have untrusted code running in the session, it's very easy to load exploit code using GTK_MODULES into previously trusted applications, such as gpk-application. * Issuing a large amount of data to a method to cause a local denial of service, for instance calling Resolve with millions of parameters. This is mitigated in the daemon by checking for a sane number of requests (MaximumPackagesToProcess) for each method, and also limiting the total length of the data.