On Mon, Jun 14, 2010 at 02:52:30AM -0700, Elazar Leibovich wrote: > I think you're missing the very fundamental problem I was discussing. > Sudo is great, having the default user in the admin group, enabling him to > sudo everything is even better. But this applies only when working with the > CLI. > However, when using a GUI system, and administrating your system using the > GUI, you're exposing the user to a great threat. When using the CLI no > software can ask you for input, therefor if you sudo for anything it is > definitely you who did that. It is very hard to trick the user into sudo'ing > something he didn't want to. > > When the user is administrating his system through the GUI, he will sudo a > legitimate software by typing his password. It is even worse than that - the > legitimate software which needs to be sudo'd will ask (by means of the > taskbar) from time to time the user to leverage its permission by typing > password. > The authentication scheme the user employ in order to recognize who asked > for permission is only the visual layout of the application. It is very easy > for an attacker to make his software look like the update manager, and ask > the user to update his software through the taskbar. If the casual user is > used to typing his password every time the update manager asks him to update > his system - he'll do that for hostile software which uses the update > manager's icon as well. Even experienced users might be tricked, as you're > having zero visual clue about the software identity. > > Sudo here is *not* the problem, it's great. The problem is the > authentication scheme the GUI sudo version employs in order to recognize > which software asked for permission. In windows the authentication scheme > seems to be through signed executables, in current version of Ubuntu the > authentication scheme is zero.
Hmm... if a program managed to get in a position it can pop up a prompt, it may also sniff your key-strokes. It may also present you a false certification dialog. If you're used to click through certification dialogs, you'll easily miss that. It may also prompt you to update packages, which is quite legitimate, but then after a minute run 'sudo chmod u+s /bin/bash' , while the sudo credentials are still cached. -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il | | a Mutt's tzaf...@cohens.org.il | | best tzaf...@debian.org | | friend _______________________________________________ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
