packagekit/docs/security.txt

			Security and PackageKit

This document is a brief overview of security policies and notes about security
in the PackageKit project. It has been written by the PackageKit authors, and
should not be treated as independent analysis. This document has been written as
packagekitd is a system activated daemon running as the root user (uid 0), which
means the package management system is run as root also. The daemon receives
untrusted input from the client, which means the daemon is security sensitive.

First, a high level overview, in this case using the hif backend as an example:

  gpk-update-icon      gpk-application
        |                 ___/
     [D-Bus]  __[D-Bus]__/
        |    /
   packagekitd -- [D-Bus] -- polkitd-1
        |
      thread using libhif (using librepo, hawkey, etc)

packagekitd does not expose itself remotely over XMLRPC or other remote
interface, and so a remote denial of service or exploit is impossible without a
serious exploit of other services such as D-Bus. It advertises a simple interface
that can be queried by clients in unprivileged and privileged modes.
The privileged modes are controlled using PolicyKit, and policy and the
authentication mechanism is deferred to the polkitd-1 service.

When a privileged method is executed, the daemon checks with polkitd-1 daemon
for whether the client is authorized for the action it wants to perform.
This may involve the user authenticating that they are either the user (by
typing their password) or that they are an administrative user (by typing the
root password or the password of a user designated as an administrative user).
The authorization check can take some time, but the daemon can process other
requests whilst waiting for user input. Please see the the PolicyKit-1 man page
for more information.

The packagekitd daemon is started using D-Bus system activation, which means it
is started without any environment (no PATH, etc) and therefore is impossible to
exploit by preloading other libraries. It is also running as uid 0, and so
requires root privileges to inject code into it.

A typical transaction would be for the client to request a TID (transaction ID)
to which the server responds by creating a transaction instance and exposing
this on the system bus. The client then connects to this interface, and executes
the chosen method. This method will emit signals such as ::Package(), then
::Finished() and then after a number of seconds ::Destroy() which will remove
the interface from the bus.

There is a concern that a session service can be written to automatically
authenticate methods, and replace the native client, but this is not possible.

When authenticating, polkitd-1 passes a cookie to the authentication agent. If
the user enters the right password, the authentication agent calls
AuthenticationAgentResponse on the Authority with the cookie for the
authentication request. If the caller of AuthenticationAgentResponse is not
uid 0, then it is ignored.

The authentication setuid root polkit-agent-helper-1 only decides to invoke this
method if the user actually successfully authenticated. This of course relies on
polkit-agent-helper-1 being a secure program. This is easy to verify since
this is just over 300 lines of code and only depends on PAM (which is supposed
to be secure) up until we have decided that the user successfully authenticated.
Only when that is done, we initialize other libraries to send the message.

Possible attack vectors:

 * A client could cause a local DoS (denial of service) by repeatedly calling
 CreateTransaction without then calling a method to use this TID. This is mitigated by
 timing out Tid request after a present number of seconds, and the effect can be
 limited with a config variable (SimultaneousTransactionsForUid).

 * Local DoS by repeatedly calling non-privileged methods such as Resolve and
 SearchName. This could be mitigated by limiting the number of requests per
 second for a certain seat, although no code has been written to do this at
 present.

 * A privileged method could be requested and then ignored or hidden by the
 window manager. This is mitigated by not blocking the daemon when processing
 authentication, and timing-out the authentication after a number of seconds if
 authentication credentials are not supplied.

 * Passing untrusted input to the backend which could be used to crash and
 exploit the underlying package system. This is mitigated by rejecting invalid
 input to methods, and testing filenames for existence before they are passed
 to the backend.

 * Issuing a large amount of data to a method to cause a local denial of
 service, for instance calling Resolve with millions of parameters. This is
 mitigated in the daemon by checking for a sane number of requests
 (MaximumPackagesToProcess) for each method, and also limiting the total length
 of the data.

 * The HTTP and FTP proxies that are sent by the session may contain embedded
 usernames and passwords. Whilst these are sent in plain text over the system
 D-Bus (FIXME?), the database is not be readable by users (mode 0640).

 * The matching of UID and session to proxies assumes that the user cannot
 modify the login UID, and cannot spoof a session in ConsoleKit. If a user were
 able to change the apparent UID, then this would allow them to use proxy
 settings set from another user.
 This is manifested when a graphical application is run using sudo (which you
 should never do, but I digress) and different proxy settings may be used from
 the user settings. It also allows applications run using sudo to use the proxy
 specified by root, which may be different.

 * We save the UID and session to a database to get the proxy state for each
 transaction. If the user is able to create a large number of different sessions
 then this will add many entries to the database. Some rate-limiting could be
 added to ConsoleKit or PackageKit to solve this, but has not been done at this
 time.