[packagekit] Security issue with user defined proxies

[Richard Hughes]

2009/11/16 Sebastian Heinlein <glatzor at ubuntu.com>:

> Currently we allow the user to set the proxy of a transaction.
> Furthermore there isn't any separate privilege for setting the proxy.

org.freedesktop.packagekit.system-network-proxy-configure?

> For apt it is possible to set a password for a repository, which can
> be hidden to the normal user by only allowing root to read the config
> file. By allowing the user to set the proxy the password gets sent to
> the user's proxy. Which is a security issue.

I'm not sure I follow. The password is a http proxy password -- surely
you could sniff this (as a user) as it goes out on the wire. Could you
explain how you think this is a security issue in painstaking detail
please.

> Are there any other backends which support passwords?

They all should, especially the spawned backends.

> Possible approaches:
>  - Add a separate privilege for setting the proxy

See above.

>  - Add a global option to disable setting the proxy by the user

If you set ProxyHTTP in PackageKit.conf then the users proxy won't be used.

>  - Ignoring proxies in the backend if the repository uses a password

I'm not sure why ignoring proxies is a good idea.

Thanks,

Richard.