<div dir="ltr"><br><br><div class="gmail_quote">On Mon, Jun 14, 2010 at 4:54 PM, Tzafrir Cohen <span dir="ltr"><<a href="mailto:tzafrir@cohens.org.il">tzafrir@cohens.org.il</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">On Mon, Jun 14, 2010 at 05:36:33AM -0700, Elazar Leibovich wrote:<br>
> 1) I'm not sure sniffing your keyboard and recognizing when you type your<br>
> password is so easy, but I might be wrong.<br>
> 2) I believe that there's some mechanism which prevents any other software<br>
> to mask graphically the authentication dialog, so that if you're seeing the<br>
> real authentication dialog - you can trust what you see.<br>
<br>
</div>It's not about masking one. It's about faking one.<br></blockquote><div> </div><div>I don't understand, what would faking a dialog give the attacker? </div><div>(If you're saying that it will cause the user to ignore permission dialogs altogether, I don't think it's plausible, on the contrary, the user will notice something is suspicious - the package update software is asking for update, yet, nothing happens.</div>
<div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im"><br>
><br>
> However using Vista signed executable idea, for instance none of this could<br>
> happen, since every time a program asks for privilege leverage the dialog<br>
> box states explicitly which executable is asking for it, and you never write<br>
> your own password except in login, so whatever the malicious program does it<br>
> cannot get root privileges.<br>
<br>
</div>"Never" is a very strong word. The main problem here is that you'll<br>
eventually need to run "untrusted" binaries for varius reasons. And thus<br>
you'll get used to bypassing that mechnism on a regular basis.<br>
<br>
Not to mention that "trusted" binaries may do way to much. For instance,<br>
/bin/bash is a trusted binary on your Linux system. It is instealled<br>
from a signed package. Yet chmod s+u /bin/bash is not such a grand idea.<br></blockquote><div><br></div><div>In the authentication dialog you will see the command line which is requested, and if it's something like "/bin/bash rm -rf /" ignore it. Moreover I wouldn't allow bash to ask for permission leverage through the GUI at all.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Trusting any signed binaries sounds all too much like a generic sudo<br>
line. It might be a good solution, but not for this problem.<br>
<br>
Again, look into the *Kit stuff, if sudo is not good enough for you.<br></blockquote><div><br></div><div>Again, sudo is super. I even considered a using it on some windows machine which unfortunately lack this feature. It's the Ubuntu GUI for leveraging permisions which bothers me.</div>
<div>I took a quick look of the *Kit stuff. I don't see immediately what ConsoleKit is doing, but indeed disabling any possibility to sudo through the GUI, and only running a package daemon is a nice step towards a better authentication scheme.</div>
<div>However I don't see how is it a solution for the general problem of executing untrusted binaries in Desktop environment.</div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<font color="#888888"><br>
--<br>
</font><div><div></div><div class="h5">Tzafrir Cohen | <a href="mailto:tzafrir@jabber.org">tzafrir@jabber.org</a> | VIM is<br>
<a href="http://tzafrir.org.il" target="_blank">http://tzafrir.org.il</a> | | a Mutt's<br>
<a href="mailto:tzafrir@cohens.org.il">tzafrir@cohens.org.il</a> | | best<br>
<a href="mailto:tzafrir@debian.org">tzafrir@debian.org</a> | | friend<br>
<br>
_______________________________________________<br>
Linux-il mailing list<br>
<a href="mailto:Linux-il@cs.huji.ac.il">Linux-il@cs.huji.ac.il</a><br>
<a href="http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il" target="_blank">http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il</a><br>
</div></div></blockquote></div><br></div>