<div dir="ltr">1) I'm not sure sniffing your keyboard and recognizing when you type your password is so easy, but I might be wrong.<br>2) I believe that there's some mechanism which prevents any other software to mask graphically the authentication dialog, so that if you're seeing the real authentication dialog - you can trust what you see.<br>
<br>However using Vista signed executable idea, for instance none of this could happen, since every time a program asks for privilege leverage the dialog box states explicitly which executable is asking for it, and you never write your own password except in login, so whatever the malicious program does it cannot get root privileges.<br>
(Please note, I'm aware there are many problems with the current Vista approach, and I don't think at all it's an ideal solution. New ideas must be sought, and I'll be glad to hear any distribution who implemented better approaches. However, as I previously said, it's better than nothing.)<br>
<br><div class="gmail_quote">On Mon, Jun 14, 2010 at 3:21 AM, Tzafrir Cohen <span dir="ltr"><<a href="mailto:tzafrir@cohens.org.il">tzafrir@cohens.org.il</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div><div></div><div class="h5">On Mon, Jun 14, 2010 at 02:52:30AM -0700, Elazar Leibovich wrote:<br>
> I think you're missing the very fundamental problem I was discussing.<br>
> Sudo is great, having the default user in the admin group, enabling him to<br>
> sudo everything is even better. But this applies only when working with the<br>
> CLI.<br>
> However, when using a GUI system, and administrating your system using the<br>
> GUI, you're exposing the user to a great threat. When using the CLI no<br>
> software can ask you for input, therefor if you sudo for anything it is<br>
> definitely you who did that. It is very hard to trick the user into sudo'ing<br>
> something he didn't want to.<br>
><br>
> When the user is administrating his system through the GUI, he will sudo a<br>
> legitimate software by typing his password. It is even worse than that - the<br>
> legitimate software which needs to be sudo'd will ask (by means of the<br>
> taskbar) from time to time the user to leverage its permission by typing<br>
> password.<br>
> The authentication scheme the user employ in order to recognize who asked<br>
> for permission is only the visual layout of the application. It is very easy<br>
> for an attacker to make his software look like the update manager, and ask<br>
> the user to update his software through the taskbar. If the casual user is<br>
> used to typing his password every time the update manager asks him to update<br>
> his system - he'll do that for hostile software which uses the update<br>
> manager's icon as well. Even experienced users might be tricked, as you're<br>
> having zero visual clue about the software identity.<br>
><br>
> Sudo here is *not* the problem, it's great. The problem is the<br>
> authentication scheme the GUI sudo version employs in order to recognize<br>
> which software asked for permission. In windows the authentication scheme<br>
> seems to be through signed executables, in current version of Ubuntu the<br>
> authentication scheme is zero.<br>
<br>
</div></div>Hmm... if a program managed to get in a position it can pop up a prompt,<br>
it may also sniff your key-strokes.<br>
<br>
It may also present you a false certification dialog. If you're used to<br>
click through certification dialogs, you'll easily miss that.<br>
<br>
It may also prompt you to update packages, which is quite legitimate,<br>
but then after a minute run 'sudo chmod u+s /bin/bash' , while the sudo<br>
credentials are still cached.<br>
<font color="#888888"><br>
--<br>
</font><div><div></div><div class="h5">Tzafrir Cohen | <a href="mailto:tzafrir@jabber.org">tzafrir@jabber.org</a> | VIM is<br>
<a href="http://tzafrir.org.il" target="_blank">http://tzafrir.org.il</a> | | a Mutt's<br>
<a href="mailto:tzafrir@cohens.org.il">tzafrir@cohens.org.il</a> | | best<br>
<a href="mailto:tzafrir@debian.org">tzafrir@debian.org</a> | | friend<br>
<br>
_______________________________________________<br>
Linux-il mailing list<br>
<a href="mailto:Linux-il@cs.huji.ac.il">Linux-il@cs.huji.ac.il</a><br>
<a href="http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il" target="_blank">http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il</a><br>
</div></div></blockquote></div><br></div>