<div dir="ltr">I don't understand.<div>An executable can be signed or unsigned. Anyone can sign it, but the name of the signee would appear on it.</div><div>If I see your script with your name on it, I can decide whether or not to execute it.</div>
<div>What cannot happen in that case that I'll think your script is the update manager, since the executable is signed (as I mentioned signature can be implemented using, say, executable path and not only with crypto).</div>
<div><br></div><div>The user has a variable amount of clue, but it doesn't matter. </div><div><br></div><div>Even an experienced user (like yourself) won't be able to differentiate a script claiming he's the update manager from the real update manager. This is solved. Because it's theoretically impossible, the input on the screen is identical in both cases.</div>
<div>We never drop the executable signing idea, which has no relation whatsoever to the question whether or not the user has clue.<br><br><div class="gmail_quote">On Mon, Jun 14, 2010 at 10:21 PM, Tzafrir Cohen <span dir="ltr"><<a href="mailto:tzafrir@cohens.org.il">tzafrir@cohens.org.il</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="im">On Mon, Jun 14, 2010 at 09:22:23PM +0300, Elazar Leibovich wrote:<br>
> On Mon, Jun 14, 2010 at 8:41 PM, Tzafrir Cohen <<a href="mailto:tzafrir@cohens.org.il">tzafrir@cohens.org.il</a>>wrote:<br>
><br>
> > On Mon, Jun 14, 2010 at 08:12:43PM +0300, Elazar Leibovich wrote:<br>
> ><br>
> [snip]<br>
><br>
> > > But I'm not interested with extra limitations. I want to allow the user<br>
> > > sudo'ing whatever he wishes, to allow any program to prompt for extra<br>
> > > permissions, but still disallow a malicious software to disguise as a<br>
> > > legitimate software, and trick the user to give it extra privileges.<br>
> ><br>
> > Define "malicious software".<br>
> ><br>
> > For instance, should a script that I wrote be considered "malicious"? A<br>
> > script that root wrote?<br>
> ><br>
> > Depends on the user. He will decide if your script should get root<br>
> privileges. If I were him I'll never give root privileges to anything which<br>
> is not an installer.<br>
><br>
> But what shouldn't happen is that *his *script will disguise as your script,<br>
> and will ask for root permissions. I will then give *his* script permission<br>
> because I trust your script, this is the heart of the problem and this is<br>
> wrong.<br>
<br>
</div>So you need to grant local {user?|admin?} the permission to sign<br>
executables?<br>
<div><div></div><div class="h5"><br>
><br>
><br>
> > ><br>
> > > How did Vista "solve" this problem?<br>
> > > When the a software prompts for extra permissions, the user see which<br>
> > > software asked for that, and if it's digitally the application's name and<br>
> > > author are displayed.<br>
> > > The user is expected to examine those details and allow the program to<br>
> > get<br>
> > > extra privileges if he wishes (software from sun? OK it's a java update,<br>
> > I<br>
> > > clicked on Firefox installer I expect software from Mozilla Foundation to<br>
> > > prompt for permissions, unsigned software is asking for permissions after<br>
> > I<br>
> > > clicked to update my Java - wow, that's alarming!).<br>
> > > Of course there are many problems with this approach (for instance let's<br>
> > > sign my malware for "the Sun Inc" instead of "Sun Inc"), but it's a good<br>
> > > first step.<br>
> ><br>
> > A certificate may serve to guarantee that the software indeed comes from<br>
> > a well-known vendor. But it says nothing about it being safe for running<br>
> > under sudo.<br>
> ><br>
> > Do I want to allow my users to run all the Sun programs? (and by<br>
> > extension: all Java programs, through a JVM) with root privs?<br>
> ><br>
><br>
> Hold it a bit, most software won't need to run as root, so usually the<br>
> answer is no. It is legitimate to require scripts that are supposed to run<br>
> as root to be compiled to a signed executable that would be signed. (It is a<br>
> good idea in general BTW, for instance gnome-do fails to recognize java<br>
> programs which are ran by bash script).<br>
><br>
> BTW you don't have to sign the executables by crypto. It is enough to show<br>
> the full path of the software, and warn the user if he has write permission<br>
> to the place where the executable resides.<br>
<br>
</div></div>So now we don't assume user is completely clueless, and we basically<br>
drop the whole signing idea.<br>
<br>
Full command-line sounds saner. gksudo alsready does that here.<br>
<div class="im"><br>
><br>
> But even for scripts it improves the system security. Since you would see<br>
> exactly which command line is about to run, and you would be able to decide<br>
> if you are being tricked or not. (It is much more unlikely that a malicious<br>
> software will follow your keystroke an would switch the script you're just<br>
> about to sudo).<br>
><br>
> The bottom line is, that I feel 100% safe to click OK on my Java update sudo<br>
> in Vista, but I feel scared to do the same for the update manager on Ubuntu.<br>
<br>
><br>
> While its not the ideal solution, I believe it gives a good MAANE<br>
<br>
</div>--<br>
<div><div></div><div class="h5">Tzafrir Cohen | <a href="mailto:tzafrir@jabber.org">tzafrir@jabber.org</a> | VIM is<br>
<a href="http://tzafrir.org.il" target="_blank">http://tzafrir.org.il</a> | | a Mutt's<br>
<a href="mailto:tzafrir@cohens.org.il">tzafrir@cohens.org.il</a> | | best<br>
<a href="mailto:tzafrir@debian.org">tzafrir@debian.org</a> | | friend<br>
<br>
_______________________________________________<br>
Linux-il mailing list<br>
<a href="mailto:Linux-il@cs.huji.ac.il">Linux-il@cs.huji.ac.il</a><br>
<a href="http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il" target="_blank">http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il</a><br>
</div></div></blockquote></div><br></div></div>