Problems of a desktop Linux distribution GUI sudo

Problems of a desktop Linux distribution GUI sudo

Tzafrir Cohen tzafrir at cohens.org.il
Mon Jun 14 20:41:52 IDT 2010 

On Mon, Jun 14, 2010 at 08:12:43PM +0300, Elazar Leibovich wrote:
> The problem:
> In the current workflow for desktop linux, you need to routinely leverage
> the privilege of some GUI application. Those applications runs constantly in
> the background and might prompt the user to take action.
> We *want *those application to constantly run in the background and prompt
> the user to take action. This is a good thing.
> When the program asks the user to leverage its privileges, the standard
> leverage dialog does not contain any verifiable information for who actually
> asked to leverage its permissions.
> That is, the only authentication method the user employ to verify he's
> giving root privilege to the correct program are this program's visual look.
> 
> However, this workflow enables a simple attack. The offending program would
> change its look to look like a legitimate program, and ask the user to
> leverage its permissions. The user has no way to know that he's leveraging
> the permissions of a different program.
> 
> This program can be solved in many ways, for instance:
> 1) Allow the user to sudo only a limited set of software.
> 2) Allow the user to sudo all programs, but do not allow any software to
> prompt the user for extra permission.
> But I'm not interested with extra limitations. I want to allow the user
> sudo'ing whatever he wishes, to allow any program to prompt for extra
> permissions, but still disallow a malicious software to disguise as a
> legitimate software, and trick the user to give it extra privileges.

Define "malicious software".

For instance, should a script that I wrote be considered "malicious"? A
script that root wrote?

> 
> How did Vista "solve" this problem?
> When the a software prompts for extra permissions, the user see which
> software asked for that, and if it's digitally the application's name and
> author are displayed.
> The user is expected to examine those details and allow the program to get
> extra privileges if he wishes (software from sun? OK it's a java update, I
> clicked on Firefox installer I expect software from Mozilla Foundation to
> prompt for permissions, unsigned software is asking for permissions after I
> clicked to update my Java - wow, that's alarming!).
> Of course there are many problems with this approach (for instance let's
> sign my malware for "the Sun Inc" instead of "Sun Inc"), but it's a good
> first step.

A certificate may serve to guarantee that the software indeed comes from
a well-known vendor. But it says nothing about it being safe for running
under sudo.

Do I want to allow my users to run all the Sun programs? (and by
extension: all Java programs, through a JVM) with root privs?

This is a good(?) answer to a different question.

-- 
Tzafrir Cohen         | tzafrir at jabber.org | VIM is
http://tzafrir.org.il |                    | a Mutt's
tzafrir at cohens.org.il |                    |  best
tzafrir at debian.org    |                    | friend

More information about the Linux-il mailing list