<div dir="ltr">I think you're missing the very fundamental problem I was discussing.<br>Sudo is great, having the default user in the admin group, enabling him to sudo everything is even better. But this applies only when working with the CLI.<br>
However, when using a GUI system, and administrating your system using the GUI, you're exposing the user to a great threat. When using the CLI no software can ask you for input, therefor if you sudo for anything it is definitely you who did that. It is very hard to trick the user into sudo'ing something he didn't want to.<br>
<br>When the user is administrating his system through the GUI, he will sudo a legitimate software by typing his password. It is even worse than that - the legitimate software which needs to be sudo'd will ask (by means of the taskbar) from time to time the user to leverage its permission by typing password.<br>
The authentication scheme the user employ in order to recognize who asked for permission is only the visual layout of the application. It is very easy for an attacker to make his software look like the update manager, and ask the user to update his software through the taskbar. If the casual user is used to typing his password every time the update manager asks him to update his system - he'll do that for hostile software which uses the update manager's icon as well. Even experienced users might be tricked, as you're having zero visual clue about the software identity.<br>
<br>Sudo here is *not* the problem, it's great. The problem is the authentication scheme the GUI sudo version employs in order to recognize which software asked for permission. In windows the authentication scheme seems to be through signed executables, in current version of Ubuntu the authentication scheme is zero.<br>
<br><div class="gmail_quote">On Mon, Jun 14, 2010 at 2:13 AM, Tzafrir Cohen <span dir="ltr"><<a href="mailto:tzafrir@cohens.org.il">tzafrir@cohens.org.il</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div><div></div><div class="h5">On Mon, Jun 14, 2010 at 08:49:21AM +0300, Elazar Leibovich wrote:<br>
> When using my Ubuntu I used to make the following pattern, whenever an<br>
> update symbol showed up in the "taskbar" above (in gnome it's the upper<br>
> panel), I clicked on it, entered my password to sudo up the privileges of<br>
> the update process, and installed the needed packages to the machine.<br>
><br>
> Then I thought, wait a mintue, this is happening all too often! The only<br>
> security signature I trust here is the shape of the symbol on the taskbar! A<br>
> malicious program can immitate the update GUI, and lure me to leverage its<br>
> permissions very easily.<br>
><br>
> It can't be that bad, I thought, I can probably only sudo a known program.<br>
> Alas, in the latest version of Ubuntu the sudoers file says<br>
><br>
> %admin ALL=(ALL) ALL<br>
><br>
> and the default user is indeed in the admin group.<br>
><br>
> Is that really a problem (I'm probably not the only one who noticed it)? Is<br>
> it like that in other distributions?<br>
><br>
> In Windows when you're asked to leverage a permission of a program, it shows<br>
> you the digital signature of the executable asking for privileges (or at<br>
> least that's how it looks like in the dialog), which is not a very good<br>
> solution IMHO, but it's at least better than nothing.<br>
<br>
</div></div>If you're not happy with the simplicity of su, look into the extra<br>
complexity of the various [A-Z][a-z]+Kit-s. Specifically in this case<br>
the combination of ConsoleKit and PackageKit.<br>
<br>
Pros: easier to define more fine-grained policies.<br>
<br>
Cons: more points of failure. More difficult to understand[1].<br>
<br>
/me just runs aptitude as root from a terminal.<br>
<br>
[1] See e.g.: <a href="http://lwn.net/Articles/362986/" target="_blank">http://lwn.net/Articles/362986/</a><br>
<br>
--<br>
Tzafrir Cohen | <a href="mailto:tzafrir@jabber.org">tzafrir@jabber.org</a> | VIM is<br>
<a href="http://tzafrir.org.il" target="_blank">http://tzafrir.org.il</a> | | a Mutt's<br>
<a href="mailto:tzafrir@cohens.org.il">tzafrir@cohens.org.il</a> | | best<br>
<a href="mailto:tzafrir@debian.org">tzafrir@debian.org</a> | | friend<br>
<br>
_______________________________________________<br>
Linux-il mailing list<br>
<a href="mailto:Linux-il@cs.huji.ac.il">Linux-il@cs.huji.ac.il</a><br>
<a href="http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il" target="_blank">http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il</a><br>
</blockquote></div><br></div>