Problems of a desktop Linux distribution GUI sudo

Problems of a desktop Linux distribution GUI sudo

Shlomi Fish shlomif at iglu.org.il
Mon Jun 14 13:19:11 IDT 2010 

On Monday 14 Jun 2010 12:52:30 Elazar Leibovich wrote:
> I think you're missing the very fundamental problem I was discussing.
> Sudo is great, having the default user in the admin group, enabling him to
> sudo everything is even better. But this applies only when working with the
> CLI.
> However, when using a GUI system, and administrating your system using the
> GUI, you're exposing the user to a great threat. When using the CLI no
> software can ask you for input, therefor if you sudo for anything it is
> definitely you who did that. It is very hard to trick the user into
> sudo'ing something he didn't want to.
> 
> When the user is administrating his system through the GUI, he will sudo a
> legitimate software by typing his password. It is even worse than that -
> the legitimate software which needs to be sudo'd will ask (by means of the
> taskbar) from time to time the user to leverage its permission by typing
> password.
> The authentication scheme the user employ in order to recognize who asked
> for permission is only the visual layout of the application. It is very
> easy for an attacker to make his software look like the update manager,
> and ask the user to update his software through the taskbar. If the casual
> user is used to typing his password every time the update manager asks him
> to update his system - he'll do that for hostile software which uses the
> update manager's icon as well. Even experienced users might be tricked, as
> you're having zero visual clue about the software identity.
>

That's why you should not install software that you should not trust. There's 
no escape from it. If you install such software as a normal user, it can 
easily temper with your local user configuration and end up spying on you or 
getting your credentials - even as an underprivileged  user on UNIX.

Regards,

	Shlomi Fish

-- 
-----------------------------------------------------------------
Shlomi Fish       http://www.shlomifish.org/
Why I Love Perl - http://shlom.in/joy-of-perl

God considered inflicting XSLT as the tenth plague of Egypt, but then
decided against it because he thought it would be too evil.

Please reply to list if it's a mailing list post - http://shlom.in/reply .

More information about the Linux-il mailing list