Ubuntu
aptdaemon package

[FFe] passwordless install of webapps (based on repo whitelist)

Bug #1035207 reported by Michael Vogt
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
aptdaemon (Ubuntu)
Fix Released
High
Unassigned

Bug Description

For the unity-webapps work the webapps team would like to install packages that only
contain unity-webapps passwordless for a better user experience. They are regular packages but of a very simple form, essentially just a javascript file and a icon and no
maintainer scripts.

My proposal would be to add a new class of policykit action:
"org.debian.apt.install-packages.high-trust-repo" that requires the same authentication by default as install-or-remove-packages (i.e. auth_admin).

This can then be override by the webapps package via /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla (policykit-desktop-privileges) similar to what we did in the policykit-desktop-priviledges with "org.debian.apt.upgrade-packages" to not require a password prompt.

The whitelist of the repository would be based on "Origin,Components" and packagename regexp. So something like: (LP-PPA-app-review-board, main, ^unity-webapps-.*") for the webapps case and this would be shipped as part of the webapps-package into
/etc/aptdaemon/high-trust-repository-whitelist.d/

This is all implemented now and I would like to ask for a feature freeze exception to add
this into current quantal.

Note that this feature is generic enough to be useful other use-cases like internal company repositories that are trusted.

See original description
Tags: ca-escalated

Related branches

lp:~mvo/aptdaemon/support-for-whitelisted-repositories
Michael Vogt: Needs Resubmitting
Martin Pitt (community): Approve
Diff: 821 lines (+506/-36)
14 files modified
aptdaemon/core.py (+31/-1)
aptdaemon/policykit1.py (+4/-1)
aptdaemon/test.py (+15/-5)
aptdaemon/utils.py (+1/-0)
aptdaemon/worker.py (+112/-16)
data/org.debian.apt.policy.in (+24/-0)
tests/data/high-trust-repository-whitelist-broken.cfg (+10/-0)
tests/data/high-trust-repository-whitelist.cfg (+10/-0)
tests/repo/whitelisted/Packages (+34/-0)
tests/repo/whitelisted/Packages.gpg (+34/-0)
tests/repo/whitelisted/Release (+17/-0)
tests/test_client.py (+1/-0)
tests/test_high_trust_repository_whitelist.py (+201/-0)
tests/test_worker.py (+12/-13)
lp:~aptdaemon-developers/aptdaemon/ubuntu-quantal
lp:ubuntu/quantal/aptdaemon
Michael Vogt (mvo)
tags: added: ca-escalated
summary: - passwordless install of certain apps
+ passwordless install of webapps (based on repo whitelist)
Revision history for this message
Sebastien Bacher (seb128) wrote : Re: passwordless install of webapps (based on repo whitelist)

The approch seems fine to me, those don't really have lot of code and those websites can already be accessed without password from a web browser anyway, I would still like to get the security team opinion on the topic though, installing random .js from the web in an easy way is somewhat a bit scary ;-)

Michael Vogt (mvo)
Changed in aptdaemon (Ubuntu):
importance: Undecided → High
status: New → Triaged
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

There are two requests in this bug, the first being to add whitelist functionality to aptdaemon, and the second is to add a webapps repository to that whitelist. I will address them separately.

Aptdaemon:

I believe adding the whitelist functionality to aptdaemon is reasonable. This would also permit enterprise environments to allow their users to install a pre-approved subset of optional packages. Perhaps two whitelists and policykit rights should be added, one for users in the admin group, and a second for regular users who are logged into the console.

Webapps repo whitelist:

We would tolerate being able to install webapp packages without a password with the following caveats:

1- Installing without a password is limited to users in the "admin" group.
2- The repository whitelist for aptdaemon is shipped in a separate "webapps"-named package, and not part of the aptdaemon package.
3- Up-to-date documentation for the exact steps required for auditing the security of contributed webapp scripts. This needs to be written by someone familiar with the intricacies of how the scripts are integrated in the browser security model and how the webapps functionality was implemented.
4- An webapp script security scanning tool that can detect basic security flaws, and can be updated with new flaws as they are discovered.
5- A policy in place to systematically audit new webapp scripts and improvements to existing webapp scripts using the documentation and the scanning tool before they are accepted into the repository.
6- Tracking of a "sign-off" procedure to determine when the security auditing of contributed scripts was performed, by who, and with what revision of the auditing documentation and script.

The security team also reserves the right to remove the password exception at its discretion in the case where webapp scripts are used to facilitate malware attacks.

Revision history for this message
Michael Vogt (mvo) wrote :

Thanks a lot Marc for your thoughts on this topic.

I'm working on this currently in the linked branch and for (1) and (2) we will need something like the
"policykit-desktop-priviledges" package for webapps that install something like
"/var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.webapps.pkla" with:
"""
[Whitelisted installs]
Identity=unix-group:admin;unix-group:sudo
Action=org.debian.apt.install-packages-from-whitelisted-repo
ResultActive=yes
"""

The steps (3) - (6) I will defer to the webapps team.

Revision history for this message
Michael Vogt (mvo) wrote :

The whitelist file looks like:

$ cat /etc/aptdaemon/repository-whitelist.cfg

[webapps test]
origin = Ubuntu
component = universe
pkgnames = 2vcard

[more whitelist]
origin = Ubuntu
component = main
pkgnames = ^unity.*

summary: - passwordless install of webapps (based on repo whitelist)
+ [FFe] passwordless install of webapps (based on repo whitelist)
Michael Vogt (mvo)
Changed in aptdaemon (Ubuntu):
status: Triaged → In Progress
Michael Vogt (mvo)
description: updated
Revision history for this message
Stéphane Graber (stgraber) wrote :

Approved on the condition that the security team confirms the current implementation matches their requirements and that this lands on the 17th at the latest (so we have room to revert before beta2 freeze if something goes wrong).

Changed in aptdaemon (Ubuntu):
status: In Progress → Triaged
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

The aptdaemon changes proposed matches our requirements, as it's just the framework, not the whitelist file itself.

The whitelist file for webapps needs to be in a separate package, and the requirements listed must be met for that.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package aptdaemon - 0.45+bzr861-0ubuntu1

---------------
aptdaemon (0.45+bzr861-0ubuntu1) quantal; urgency=low

  * New upstream snapshot:
    - lp:~mvo/aptdaemon/support-for-whitelisted-repositories that adds
      support for a new trusted-repo policykit action LP: #1035207
    - lp:~vorlon/aptdaemon/lp.1034806 that fixes unicode/str errors
      LP: #768691, #926340, #1034806
  * debian/patches/fix_gettext_return_value_type.patch:
    - dropped, merged as part of lp:~vorlon/aptdaemon/lp.1034806
 -- Michael Vogt <email address hidden> Thu, 13 Sep 2012 09:13:07 +0200

Changed in aptdaemon (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.