Problems of a desktop Linux distribution GUI sudo

Problems of a desktop Linux distribution GUI sudo

Tzafrir Cohen tzafrir at cohens.org.il
Mon Jun 14 12:13:52 IDT 2010


On Mon, Jun 14, 2010 at 08:49:21AM +0300, Elazar Leibovich wrote:
> When using my Ubuntu I used to make the following pattern, whenever an
> update symbol showed up in the "taskbar" above (in gnome it's the upper
> panel), I clicked on it, entered my password to sudo up the privileges of
> the update process, and installed the needed packages to the machine.
> 
> Then I thought, wait a mintue, this is happening all too often! The only
> security signature I trust here is the shape of the symbol on the taskbar! A
> malicious program can immitate the update GUI, and lure me to leverage its
> permissions very easily.
> 
> It can't be that bad, I thought, I can probably only sudo a known program.
> Alas, in the latest version of Ubuntu the sudoers file says
> 
> %admin ALL=(ALL) ALL
> 
> and the default user is indeed in the admin group.
> 
> Is that really a problem (I'm probably not the only one who noticed it)? Is
> it like that in other distributions?
> 
> In Windows when you're asked to leverage a permission of a program, it shows
> you the digital signature of the executable asking for privileges (or at
> least that's how it looks like in the dialog), which is not a very good
> solution IMHO, but it's at least better than nothing.

If you're not happy with the simplicity of su, look into the extra
complexity of the various [A-Z][a-z]+Kit-s. Specifically in this case
the combination of ConsoleKit and PackageKit.

Pros: easier to define more fine-grained policies.

Cons: more points of failure. More difficult to understand[1].

/me just runs aptitude as root from a terminal.

[1] See e.g.: http://lwn.net/Articles/362986/

-- 
Tzafrir Cohen         | tzafrir at jabber.org | VIM is
http://tzafrir.org.il |                    | a Mutt's
tzafrir at cohens.org.il |                    |  best
tzafrir at debian.org    |                    | friend



More information about the Linux-il mailing list