WRT This, I think there are potentially greater problems. Fedora has standards of packaging specification review, but not so much review of package content or updates (beyond, perhaps diffs to the specfile, which go to a mailing list in CVS — the tarballs are not subject to close inspection). While it is bad enough that this allows a user access to install a well-intentioned package with an unpatched vulnerability when it is not otherwise installed (requiring first some form of local access, or another exploit or bridge sufficient to talk to dbus?), what is not mentioned is it is fairly easy for a person to masquerade as a good guy, package a popular technology, and replace it with an disguised evil payload six months later. RPM scripts run as root, and are just as dangerous as the software they install.
I don’t know exactly /how/ you fix that attack vector, it is a social one. So if Fedora is thinking about reviewing security policies, also consider we don’t /really/ know everyone, and we can’t know. I would be more worried about that than the PackageKit one. With the PackageKit one, I’d just mostly be really annoyed that someone I gave an account to could fill up my hard drive space and I wouldn’t know exactly what they installed so I could clean up after.
My point is that even though the Package is signed, that doesn’t mean they are (neccessarily) safe. More reason for not allowing extra people to install packages.
I’m only bringing this up because I get tired of fighting off Ubuntu people, and such security features as PackageKit being wide open do not make it easy. With all the attention on SELinux, etc, I see no reason Fedora could not be both usuable and also a security bastion with similar reputations as OpenBSD. In the worst case, perhaps just ask the user what they want in the installer and default to some of the more secure options — or default to the most secure options and provide a setting in a configuration panel somewhere to open it up.
BSD ports suffer frpm the same problems. *BSD is secure bexause the devs have fine grained control of the stack.
Of course requiring root to install software is a “arse covering” thing… A bit like “show the list of updates and decide whether to patch the machine” as if the user has a clue.
If software doesn’t have root components there shouldn’t be a problem (heck Fedora ships with user accessible gcc right?).
This is the new computing world. You don’t need permission from root to view http://www.filbert.com, why is this more or less safe than downloading and playing pong? Security of a user’s data is Selinux’s problem !not! an excuse for a “click ok to continue” dialog because we still haven’t got to where java was in netscape 2.0…
I think SELinux is attempting to provide a language agnostic sandbox, the trick is to just make it automatic enough to run Pong in it automatically, and keep people from having to write policy … ever.
” and I wouldn’t know exactly what they installed so I could clean up after.”
/var/log/yum.log ?
Perhaps…. although that’s not as easy as saying “rollback to timestamp” as you’d still have to parse the log. That all being said, it shouldn’t be possible to begin with.