[Novalug] Needing root/admin password to install an application: Is this a significant network vulnerability?

Peter Larsen peter@peterlarsen.org
Sun Jul 12 16:48:09 EDT 2015


Alan,
Based on our talk yesterday at the monthly meeting, I thought I wanted
to make a quick summary here.

The way I understand your question is, that if you can install a piece
of software in a virtual machine, why do I need to use an admin password
(inside the virtual machine) if the virtual machine is running security
on the host OS?  We discussed whether virtual machines were actually
secure on the hypervisor - and with some hypervisors that is the case,
others not so much (not everyone uses SELinux and kernel based security
to separate the process spaces between the VMs). But assuming you had
this level of security, that's still not enough.

Security is layered. It's an attempt to add protections against
unexpected as well as expected attacks. By locking things down to
prevent "crazy things" like changing your own binary code, we can
prevent bad programs from getting worse. While you're absolutely right,
as you pointed out, if you're just a single user why does it matter?
Logged on as yourself, shouldn't everything run as yourself was your
question - and the short answer is, no. That's really the worst thing
you can do. It's why Windows need "anti-virus" because everything can
become trusted so quickly. If you run a Windows box like you do a Linux
(it has the same abilities) it pretty much takes away the need for
anti-virus and all that junk - but it means normal users cannot install
printers, add-ons to browsers and much more. And Microsoft as well as
Apple put usability first not security. So it means, that software like
LibreOffice isn't really installed as you. It's installed so _all_ users
on your system can share the binaries, and only the admin can change it.
This means, that should you try to open a document which has a macro
that attempts to download and override the "oowrite" binary, it will not
be successful - you don't have privileges to do that. It's one of the
layers of security you have. Other layers like SELinux prevents bad code
from opening backdoors to your system through OpenOffice. But you still
have the updater such as yum and apt which alerts you to updates when
they come out.

Today we have tools like sudo (ok, that's really old) and polkit which
makes it easier to get elevated privileges when needed. You never use
the admin password, but you are prompted to verify your password so a
script cannot just go bonkers and do things without your permission. 
All of this is true for the content of a VM too. So even though the code
inside the VM may be securely locked so it cannot access other VMs, the
code itself inside the VM is still vulnerble to issues - and if your VM
can just download bad stuff, you have severe security issue even though
contained to a specific VM. But imagine if that VM uses shared storage
for documents or music, what it could do to that if compromised?

I mentioned that developers create a full user owned installation of
code they do. For instance, those who compile and maintain Apache httpd
will build it all in a user read/writable directory while they build and
test things. They do so in a "mock" system that looks like it would
actually do file location wise, but they don't need to become root just
to test the code. But that's _NOT_ a secure execution environment. When
the developer package the code, it will be packaged to require root and
other users (like the apache user) to install.  In the old days of
tar-balls, that's how we build things - all under a single user. We
could actually execute things like that, but we did run "make install"
as a privileged user to install things with the proper privileges and
protections. And that's basically what rpm and dep files are still doing.

So because we need that separation at run time, I don't see a time were
we wouldn't need system privileges to install stuff. If you don't care
about security - looking at everything like a Windows98 box - then yeah,
you can ignore all of these things but you probably remember all the bad
things that could easily happen on Windows98?

-- 
Regards
  Peter Larsen



On 07/10/2015 09:16 AM, W Alan Day via Novalug wrote:
> Have felt for some time that having to provide a root or admin password to
> install a user application was a major design vulnerability on all of the
> network-connected platforms.  If all the client systems on the Internet
> were virtual machines, would the Internet be more secure?  Can’t convince
> myself that this would be the case because installing a Trojan application
> would have all the external network privileges supported by the VM
> machine.   (Am assuming the VMs don’t have their own vulnerabilities — not
> a realistic assumption.)
>
> We were able to do systems programing on the first virtual computer system
> (CP-67 - > VM/370) that I had experience with.  We didn’t need the admin
> password for the host computer to do this.
>
> Just wanted to throw this question out to NoVALUG to get benefit of the
> collective wisdom.
>
> Alan Day
> **********************************************************************
> The Novalug mailing list is hosted by firemountain.net.
>
> To unsubscribe or change delivery options:
> http://www.firemountain.net/mailman/listinfo/novalug







More information about the Novalug mailing list