From 9a276f6ec7cc270f07aab6f0be5e37891d36d2f0 Mon Sep 17 00:00:00 2001 From: Richard Hughes Date: Mon, 13 Jul 2009 10:45:24 +0100 Subject: Add a security document after some initial review --- docs/api/.gitignore | 1 + docs/security.txt | 78 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 79 insertions(+) create mode 100644 docs/security.txt (limited to 'docs') diff --git a/docs/api/.gitignore b/docs/api/.gitignore index f580302c9..3c13afb91 100644 --- a/docs/api/.gitignore +++ b/docs/api/.gitignore @@ -4,6 +4,7 @@ Makefile.libs *.bak *.gcno *.out +*.txt tmpl xml html diff --git a/docs/security.txt b/docs/security.txt new file mode 100644 index 000000000..5aff5a2d1 --- /dev/null +++ b/docs/security.txt @@ -0,0 +1,78 @@ + Security and PackageKit + +This document is a brief overview of security policies and notes about security +in the PackageKit project. It has been written by the PackageKit authors, and +should not be treated as independent analysis. This document has been written as +packagekitd is a system activated daemon running as the root user (uid 0), which +means the package management system is run as root also. The daemon receives +untrusted input from the client, which means the daemon is security sensitive. + +First, a high level overview, in this case using the yum backend as an example: + + gpk-update-icon gpk-application + | _______/ + [DBUS] __[DBUS]__/ + | / + packagekitd -- [DBUS] -- polkit-daemon-1 + | + [pipe] + | + yumBackend.py (using yum) + +packagekitd does not expose itself remotely over XMLRPC or other remote +interface, and so a remote denial of service or exploit is impossible without a +serious exploit of other services such as DBus. It advertises a simple interface +that can be queried by clients in unprivileged and privileged modes. +The privileged modes are controlled using PolicyKit, and policy and the +authentication mechanism is deferred to the polkit-daemon-1 service. + +When a privileged method is executed, the daemon asks polkit-daemon-1 for +authentication, which then blocks until the authentication is completed. This +is handled asynchronously, and the daemon can process other requests whilst +waiting for user input. + +The packagekitd daemon is started using DBus system activation, which means it +is started without any environment (no PATH, etc) and therefore is impossible to +exploit by preloading other libraries. It is also running as uid 0, and so +requires root privileges to inject code into it. + +A typical transaction would be for the client to request a TID (transaction ID) +to which the server responds by creating a transaction instance and exposing +this on the system bus. The client then connects to this interface, and executes +the chosen method. This method will emit signals such as ::Package(), then +::Finished() and then after a number of seconds ::Destroy() which will remove +the interface from the bus. + +Attack vectors: + + * A client could cause a local DoS (denial of service) by repeatedly calling + GetTid without then calling a method to use this TID. This is mitigated by + timing out Tid request after a present number of seconds, and the effect can be + limited with a config variable (SimultaneousTransactionsForUid). + + * Local DoS by repeatedly calling non-privileged methods such as Resolve and + SearchName. This could be mitigated by limiting the number of requests per + second for a certain seat, although no code has been written to do this at + present. + + * A privileged method could be requested and then ignored or hidden by the + window manager. This is mitigated by not blocking the daemon when processing + authentication, and timing-out the authentication after a number of seconds if + authentication credentials are not supplied. + + * Passing untrusted input to the backend which could be used to crash and + exploit the underlying package system. This is mitigated by rejecting invalid + input to methods, and testing filenames for existence before they are passed + to the backend. + + * A session service can be written to automatically authenticate methods, and + replace the native client. This is hard to mitigate, as as soon as you have + untrusted code running in the session, it's very easy to load exploit code + using GTK_MODULES into previously trusted applications, such as gpk-application. + + * Issuing a large amount of data to a method to cause a local denial of + service, for instance calling Resolve with millions of parameters. This is + mitigated in the daemon by checking for a sane number of requests + (MaximumPackagesToProcess) for each method, and also limiting the total length + of the data. + -- cgit v1.2.3