Problems of a desktop Linux distribution GUI sudo

Mon Jun 14 15:36:33 IDT 2010

1) I'm not sure sniffing your keyboard and recognizing when you type your
password is so easy, but I might be wrong.
2) I believe that there's some mechanism which prevents any other software
to mask graphically the authentication dialog, so that if you're seeing the
real authentication dialog - you can trust what you see.

However using Vista signed executable idea, for instance none of this could
happen, since every time a program asks for privilege leverage the dialog
box states explicitly which executable is asking for it, and you never write
your own password except in login, so whatever the malicious program does it
cannot get root privileges.
(Please note, I'm aware there are many problems with the current Vista
approach, and I don't think at all it's an ideal solution. New ideas must be
sought, and I'll be glad to hear any distribution who implemented better
approaches. However, as I previously said, it's better than nothing.)

On Mon, Jun 14, 2010 at 3:21 AM, Tzafrir Cohen <tzafrir at cohens.org.il>wrote:

> On Mon, Jun 14, 2010 at 02:52:30AM -0700, Elazar Leibovich wrote:
> > I think you're missing the very fundamental problem I was discussing.
> > Sudo is great, having the default user in the admin group, enabling him
> to
> > sudo everything is even better. But this applies only when working with
> the
> > CLI.
> > However, when using a GUI system, and administrating your system using
> the
> > GUI, you're exposing the user to a great threat. When using the CLI no
> > software can ask you for input, therefor if you sudo for anything it is
> > definitely you who did that. It is very hard to trick the user into
> sudo'ing
> > something he didn't want to.
> >
> > When the user is administrating his system through the GUI, he will sudo
> a
> > legitimate software by typing his password. It is even worse than that -
> the
> > legitimate software which needs to be sudo'd will ask (by means of the
> > taskbar) from time to time the user to leverage its permission by typing
> > password.
> > The authentication scheme the user employ in order to recognize who asked
> > for permission is only the visual layout of the application. It is very
> easy
> > for an attacker to make his software look like the update manager, and
> ask
> > the user to update his software through the taskbar. If the casual user
> is
> > used to typing his password every time the update manager asks him to
> update
> > his system - he'll do that for hostile software which uses the update
> > manager's icon as well. Even experienced users might be tricked, as
> you're
> > having zero visual clue about the software identity.
> >
> > Sudo here is *not* the problem, it's great. The problem is the
> > authentication scheme the GUI sudo version employs in order to recognize
> > which software asked for permission. In windows the authentication scheme
> > seems to be through signed executables, in current version of Ubuntu the
> > authentication scheme is zero.
>
> Hmm... if a program managed to get in a position it can pop up a prompt,
> it may also sniff your key-strokes.
>
> It may also present you a false certification dialog. If you're used to
> click through certification dialogs, you'll easily miss that.
>
> It may also prompt you to update packages, which is quite legitimate,
> but then after a minute run 'sudo chmod u+s /bin/bash' , while the sudo
> credentials are still cached.
>
> --
> Tzafrir Cohen         | tzafrir at jabber.org | VIM is
> http://tzafrir.org.il |                    | a Mutt's
> tzafrir at cohens.org.il |                    |  best
> tzafrir at debian.org    |                    | friend
>
> _______________________________________________
> Linux-il mailing list
> Linux-il at cs.huji.ac.il
> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20100614/87eb3bb9/attachment.html>