On Sun, Jun 09, 2013 at 07:41:34PM +0200, Daniel Pocock wrote: > My feeling is that the user should be told "go and run sudo or su in a > terminal window you opened manually" > > Otherwise, they can't be sure they are putting their password in a > genuine Debian popup.
Please explain your threat model. From the discussion I am assuming that it looks somewhat like this: The attacker already has the privilege to execute arbitrary code as the user account and wants to elevate that to root now. How is su or sudo going to help here? Writing a key logging wrapper in expect is a matter of 10 lines. The reason, that popups are used for tricking users into revealing their password, is that there are so many uses of these popups. Had everyone been using the terminal approach, the story would have been the other way round. If your account is compromised and you regularly use it to switch to root (no matter how), then the best guess is that your system is compromised as well. In order to really escape from this issue, you need something unforgeable. A certain OS from Redmond actually shows, how this can be done. In some versions it would require the user to press Ctrl-Alt-Delete before logging in, so forging the login screen was next to impossible. So to really separate the user from the administrator, administrative actions would need to be queued somewhere, then the user needs to switch to an administrative account (doing something like the key combo dance) and then process pending actions from that account. Now is this really worth it? Helmut -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130610061349.GA13389@localhost.localdomain
