Fedora 12 allows users install privilege - Update 2
An undocumented change in Fedora 12 that allows installation of software from repositories without a prompt for the root password has caused consternation amongst Fedora users. The change in the PolicyKit security policy is intended to make the system easier for desktop users and allows a system console user (the console being the locally attached display, keyboard and mouse) to install a signed software package from a signed repository, without being prompted for an administrators password. Remote users and users not on the system console are still prompted for a password, as are console users if the repository or package are unsigned, or if the signatures require updating.
The change has upset many who believe that this is opening up the system to a new range of possible attacks, from a denial of service by just installing as much software as possible to fill up the hard disk, to a privilege escalation exploit where an attacker could download a package from a repository which has a known vulnerability and then exploiting that vulnerability. Some Fedora developers say that these scenarios are mitigated by the fact that the user must be on the physical console of the system for the privilege to be automatically granted and that the change only affects the desktop versions of Fedora 12. Other developers have pointed out that this could still allow for an attack, for example, where the user's browser is compromised, allowing the attacker to then attempt to install a vulnerable package and use that to get administrator privileges.
For users who wish to return to the policy of always prompting for a root or administrator password, the command:
pklalockdown --lockdown org.freedesktop.packagekit.package-install
run as root, will disable the automatic privilege escalation. Unfortunately, according to a blog posting on the subject, the pklalockdown command is being removed from future versions of PolicyKit, which means that in future restoring the earlier security policy will be more complicated. Of course the developers may yield to user pressure and revert to the old security policy.
Update - The Fedora developers have now documented the change made in the security policy.
Update 2 - The package maintainers have now agreed to provide an update for Fedora 12's PackageKit that will require users to enter the root password to install new software packages. Details about the changes can be found in this post on the Fedora mailing list.