Problems of a desktop Linux distribution GUI sudo

Problems of a desktop Linux distribution GUI sudo

Elazar Leibovich elazarl at gmail.com
Mon Jun 14 17:47:36 IDT 2010 

On Mon, Jun 14, 2010 at 4:54 PM, Tzafrir Cohen <tzafrir at cohens.org.il>wrote:

> On Mon, Jun 14, 2010 at 05:36:33AM -0700, Elazar Leibovich wrote:
> > 1) I'm not sure sniffing your keyboard and recognizing when you type your
> > password is so easy, but I might be wrong.
> > 2) I believe that there's some mechanism which prevents any other
> software
> > to mask graphically the authentication dialog, so that if you're seeing
> the
> > real authentication dialog - you can trust what you see.
>
> It's not about masking one. It's about faking one.
>

I don't understand, what would faking a dialog give the attacker?
(If you're saying that it will cause the user to ignore permission dialogs
altogether, I don't think it's plausible, on the contrary, the user will
notice something is suspicious - the package update software is asking for
update, yet, nothing happens.


> >
> > However using Vista signed executable idea, for instance none of this
> could
> > happen, since every time a program asks for privilege leverage the dialog
> > box states explicitly which executable is asking for it, and you never
> write
> > your own password except in login, so whatever the malicious program does
> it
> > cannot get root privileges.
>
> "Never" is a very strong word. The main problem here is that you'll
> eventually need to run "untrusted" binaries for varius reasons. And thus
> you'll get used to bypassing that mechnism on a regular basis.
>
> Not to mention that "trusted" binaries may do way to much. For instance,
> /bin/bash is a trusted binary on your Linux system. It is instealled
> from a signed package. Yet chmod s+u /bin/bash is not such a grand idea.
>

In the authentication dialog you will see the command line which is
requested, and if it's something like "/bin/bash rm -rf /" ignore it.
Moreover I wouldn't allow bash to ask for permission leverage through the
GUI at all.


> Trusting any signed binaries sounds all too much like a generic sudo
> line. It might be a good solution, but not for this problem.
>
> Again, look into the *Kit stuff, if sudo is not good enough for you.
>

Again, sudo is super. I even considered a using it on some windows machine
which unfortunately lack this feature. It's the Ubuntu GUI for leveraging
permisions which bothers me.
I took a quick look of the *Kit stuff. I don't see immediately what
ConsoleKit is doing, but indeed disabling any possibility to sudo through
the GUI, and only running a package daemon is a nice step towards a better
authentication scheme.
However I don't see how is it a solution for the general problem of
executing untrusted binaries in Desktop environment.


> --
> Tzafrir Cohen         | tzafrir at jabber.org | VIM is
> http://tzafrir.org.il |                    | a Mutt's
> tzafrir at cohens.org.il |                    |  best
> tzafrir at debian.org    |                    | friend
>
> _______________________________________________
> Linux-il mailing list
> Linux-il at cs.huji.ac.il
> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20100614/f57abfcd/attachment.html>

More information about the Linux-il mailing list