Problems of a desktop Linux distribution GUI sudo

Problems of a desktop Linux distribution GUI sudo

Elazar Leibovich elazarl at gmail.com
Mon Jun 14 12:52:30 IDT 2010 

I think you're missing the very fundamental problem I was discussing.
Sudo is great, having the default user in the admin group, enabling him to
sudo everything is even better. But this applies only when working with the
CLI.
However, when using a GUI system, and administrating your system using the
GUI, you're exposing the user to a great threat. When using the CLI no
software can ask you for input, therefor if you sudo for anything it is
definitely you who did that. It is very hard to trick the user into sudo'ing
something he didn't want to.

When the user is administrating his system through the GUI, he will sudo a
legitimate software by typing his password. It is even worse than that - the
legitimate software which needs to be sudo'd will ask (by means of the
taskbar) from time to time the user to leverage its permission by typing
password.
The authentication scheme the user employ in order to recognize who asked
for permission is only the visual layout of the application. It is very easy
for an attacker to make his software look like the update manager, and ask
the user to update his software through the taskbar. If the casual user is
used to typing his password every time the update manager asks him to update
his system - he'll do that for hostile software which uses the update
manager's icon as well. Even experienced users might be tricked, as you're
having zero visual clue about the software identity.

Sudo here is *not* the problem, it's great. The problem is the
authentication scheme the GUI sudo version employs in order to recognize
which software asked for permission. In windows the authentication scheme
seems to be through signed executables, in current version of Ubuntu the
authentication scheme is zero.

On Mon, Jun 14, 2010 at 2:13 AM, Tzafrir Cohen <tzafrir at cohens.org.il>wrote:

> On Mon, Jun 14, 2010 at 08:49:21AM +0300, Elazar Leibovich wrote:
> > When using my Ubuntu I used to make the following pattern, whenever an
> > update symbol showed up in the "taskbar" above (in gnome it's the upper
> > panel), I clicked on it, entered my password to sudo up the privileges of
> > the update process, and installed the needed packages to the machine.
> >
> > Then I thought, wait a mintue, this is happening all too often! The only
> > security signature I trust here is the shape of the symbol on the
> taskbar! A
> > malicious program can immitate the update GUI, and lure me to leverage
> its
> > permissions very easily.
> >
> > It can't be that bad, I thought, I can probably only sudo a known
> program.
> > Alas, in the latest version of Ubuntu the sudoers file says
> >
> > %admin ALL=(ALL) ALL
> >
> > and the default user is indeed in the admin group.
> >
> > Is that really a problem (I'm probably not the only one who noticed it)?
> Is
> > it like that in other distributions?
> >
> > In Windows when you're asked to leverage a permission of a program, it
> shows
> > you the digital signature of the executable asking for privileges (or at
> > least that's how it looks like in the dialog), which is not a very good
> > solution IMHO, but it's at least better than nothing.
>
> If you're not happy with the simplicity of su, look into the extra
> complexity of the various [A-Z][a-z]+Kit-s. Specifically in this case
> the combination of ConsoleKit and PackageKit.
>
> Pros: easier to define more fine-grained policies.
>
> Cons: more points of failure. More difficult to understand[1].
>
> /me just runs aptitude as root from a terminal.
>
> [1] See e.g.: http://lwn.net/Articles/362986/
>
> --
> Tzafrir Cohen         | tzafrir at jabber.org | VIM is
> http://tzafrir.org.il |                    | a Mutt's
> tzafrir at cohens.org.il |                    |  best
> tzafrir at debian.org    |                    | friend
>
> _______________________________________________
> Linux-il mailing list
> Linux-il at cs.huji.ac.il
> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20100614/d15f03b3/attachment.html>

More information about the Linux-il mailing list