Problems of a desktop Linux distribution GUI sudo

Problems of a desktop Linux distribution GUI sudo

Elazar Leibovich elazarl at gmail.com
Tue Jun 15 13:02:28 IDT 2010 

On Tue, Jun 15, 2010 at 12:44 AM, Oron Peled <oron at actcom.co.il> wrote:

> On Tuesday, 15 בJune 2010 09:12:53 Elazar Leibovich wrote:
> > Thanks for the long and detailed reply!
>
> Yes, but you (probabely by mistake) replied to me only.
> I reply to the mailing list with your full content, so
> the context is not lost.
>

I apologize, but at least it's much better than doing the opposite...


> > Just to make sure I got you correctly, you're saying that no GUI app
> should
> > ask for root privileges ever, and only known application should use root
> > privileges, GUI applications would then only interface them (either
> through
> > socket, or by allowing anyone to sudo this specific application).
>
> Generally yes.
>
> > That's covers installation related software, but what about other
> software
> > which needs root privileges? Say I want to run gparted? I don't want to
> run
> > a gparted server all day long just for the time I need to run it, and I
> do
> > want to be able to run it occasionally.
>
> There is no problem with activation on demand (with D-Bus it's a piece
> of cake).
>
> What I say is that new mechanisms have split implementation:
>  - A priviledged bussiness logic
>  - A non-priviledged UI
>
> BTW: this is a classic separation between interface and implementation
>     and directly leads to other, non-security-related, advantages
>     (e.g: multiple interfaces (console, GUI, Web-based) to the same
>      bussiness logic).
>

I'm all for separation between UI and implementation. However if I
understand you correctly you suggest that, say, gparted authors will NOT
write the implementation code which needs root access.
I don't think it's possible to include gazillion services for each possible
application need. The software must request somehow permission to run its
root-depending implementation.

>
> > Vista authentication model still works, I'll be sure I'm giving root
> > permissions to gparted and not to something that looks like gparted.
> > (The flaws you mentioned in the *current* Vista model are known, but I
> > believe some could be addressed, some flaws you mentioned are inherent to
> > Windows in general, and to the sudo-like mechanism it applies).
>
> I'm the last to pretend being a Windows expert. However, the latest
> security related happenings in Vista-7, demonstrate that not much was
> changed from Vista (other than some colored cellophane and few more,
> much needed, drivers and bug-fixes).
>
> [snipped]

> Comparing this to the registry is a sad joke.
>

I'm glad to hear. If the information is stored in the user directory it is
really equivalent to the various .something configuration files.
I don't really know gconf, however when I opened the software it looked just
like regedit, and when I saw that the search function was as bad as in
regedit.exe I shivered.


> > BTW please note that authentication don't have to be done with crypto!
> > Unwritable file paths could do as well. If for instance you'll only allow
> > programs in /usr/bin/* to ask for root privileges, and the user will see
> the
> > full path of the software asking for root privileges, it provides enough
> > authentication. The idea is to know who's asking for root relying on
> things
> > which are more secure than the software icon, it doesn't have to be
> crypto.
>
> You got confused:
>  - It's not the user that need to verify that the program is "good"
>  - It's the program that need to verify that the *user* is authorized
>
>  We're indeed talking about different threat models.
You're talking about securing a desktop box in a typical corporate
environment. Indeed in this case the user permissions must be checked each
and every time he's trying to execute a program.
I'm (and if I understand correctly, Microsoft also considers this model)
talking about securing a desktop user which owns the computer.
He always have full control, if he can touch the keyboard - he's OK.
However he wishes to run various softwares from various sources, and we need
to minimize the risks for him. The typical PC user IMHO wants to install
software from various untrusted sources. Even I'm installing various
software from various sources and hope for good, I need Adobe Flash I use
Google Chrome, I use IntelliJ Idea and Sun's Java, those are not available
from Ubuntu. And by all means I don't think Ubuntu should package all
software in the universe. It should be the developers' job.
I think that if Linux becomes very popular it will have to happen. I tried
to convince friends many times not to install random software from the
internet on their Windows desktops because this tends to make troubles, but
none of them agreed. I even installed virtualbox for them to try the random
software on it, but it didn't help. They need that. You can't argue with
that.

There are various things which can be done, but the first thing we do, is
tell him - never run as root. All his files are in danger, as well as his
various email accounts. However nothing can pollute his boot record or
system files or kernel.
However sometimes the user want to run some of his untrusted software as
root, and we want to allow him to do that in a relatively secure way.

One thing we should NOT do is to force the user to be to authorizing the
update manager to run as root, and allow any program to look like the update
manager.
If this wouldn't happen the user might have many viruses - but all are in
user space.


>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20100615/85c700a8/attachment-0001.html>

More information about the Linux-il mailing list