<div dir="ltr"><br><br><div class="gmail_quote">On Mon, Jun 14, 2010 at 8:41 PM, Tzafrir Cohen <span dir="ltr"><<a href="mailto:tzafrir@cohens.org.il">tzafrir@cohens.org.il</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">On Mon, Jun 14, 2010 at 08:12:43PM +0300, Elazar Leibovich wrote:<br></div></blockquote><div>[snip] </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">> But I'm not interested with extra limitations. I want to allow the user<br>
> sudo'ing whatever he wishes, to allow any program to prompt for extra<br>
> permissions, but still disallow a malicious software to disguise as a<br>
> legitimate software, and trick the user to give it extra privileges.<br>
<br>
</div>Define "malicious software".<br>
<br>
For instance, should a script that I wrote be considered "malicious"? A<br>
script that root wrote?<br>
<div class="im"><br></div></blockquote><div>Depends on the user. He will decide if your script should get root privileges. If I were him I'll never give root privileges to anything which is not an installer.</div><div>
<br></div><div>But what shouldn't happen is that <b>his </b>script will disguise as your script, and will ask for root permissions. I will then give <b>his</b> script permission because I trust your script, this is the heart of the problem and this is wrong.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="im">
><br>
> How did Vista "solve" this problem?<br>
> When the a software prompts for extra permissions, the user see which<br>
> software asked for that, and if it's digitally the application's name and<br>
> author are displayed.<br>
> The user is expected to examine those details and allow the program to get<br>
> extra privileges if he wishes (software from sun? OK it's a java update, I<br>
> clicked on Firefox installer I expect software from Mozilla Foundation to<br>
> prompt for permissions, unsigned software is asking for permissions after I<br>
> clicked to update my Java - wow, that's alarming!).<br>
> Of course there are many problems with this approach (for instance let's<br>
> sign my malware for "the Sun Inc" instead of "Sun Inc"), but it's a good<br>
> first step.<br>
<br>
</div>A certificate may serve to guarantee that the software indeed comes from<br>
a well-known vendor. But it says nothing about it being safe for running<br>
under sudo.<br>
<br>
Do I want to allow my users to run all the Sun programs? (and by<br>
extension: all Java programs, through a JVM) with root privs?<br></blockquote><div> </div><div>Hold it a bit, most software won't need to run as root, so usually the answer is no. It is legitimate to require scripts that are supposed to run as root to be compiled to a signed executable that would be signed. (It is a good idea in general BTW, for instance gnome-do fails to recognize java programs which are ran by bash script).</div>
<div><br></div><div>BTW you don't have to sign the executables by crypto. It is enough to show the full path of the software, and warn the user if he has write permission to the place where the executable resides.</div>
<div><br></div><div>But even for scripts it improves the system security. Since you would see exactly which command line is about to run, and you would be able to decide if you are being tricked or not. (It is much more unlikely that a malicious software will follow your keystroke an would switch the script you're just about to sudo).</div>
<div><br></div><div>The bottom line is, that I feel 100% safe to click OK on my Java update sudo in Vista, but I feel scared to do the same for the update manager on Ubuntu.</div><div><br></div><div>While its not the ideal solution, I believe it gives a good MAANE</div>
<div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<br>
This is a good(?) answer to a different question.<br>
<font color="#888888"><br>
--<br>
</font><div><div></div><div class="h5">Tzafrir Cohen | <a href="mailto:tzafrir@jabber.org">tzafrir@jabber.org</a> | VIM is<br>
<a href="http://tzafrir.org.il" target="_blank">http://tzafrir.org.il</a> | | a Mutt's<br>
<a href="mailto:tzafrir@cohens.org.il">tzafrir@cohens.org.il</a> | | best<br>
<a href="mailto:tzafrir@debian.org">tzafrir@debian.org</a> | | friend<br>
<br>
_______________________________________________<br>
Linux-il mailing list<br>
<a href="mailto:Linux-il@cs.huji.ac.il">Linux-il@cs.huji.ac.il</a><br>
<a href="http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il" target="_blank">http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il</a><br>
</div></div></blockquote></div><br></div>