On Mon, Jun 14, 2010 at 4:54 PM, Tzafrir Cohen <tzaf...@cohens.org.il>wrote:
> On Mon, Jun 14, 2010 at 05:36:33AM -0700, Elazar Leibovich wrote: > > 1) I'm not sure sniffing your keyboard and recognizing when you type your > > password is so easy, but I might be wrong. > > 2) I believe that there's some mechanism which prevents any other > software > > to mask graphically the authentication dialog, so that if you're seeing > the > > real authentication dialog - you can trust what you see. > > It's not about masking one. It's about faking one. > I don't understand, what would faking a dialog give the attacker? (If you're saying that it will cause the user to ignore permission dialogs altogether, I don't think it's plausible, on the contrary, the user will notice something is suspicious - the package update software is asking for update, yet, nothing happens. > > > > However using Vista signed executable idea, for instance none of this > could > > happen, since every time a program asks for privilege leverage the dialog > > box states explicitly which executable is asking for it, and you never > write > > your own password except in login, so whatever the malicious program does > it > > cannot get root privileges. > > "Never" is a very strong word. The main problem here is that you'll > eventually need to run "untrusted" binaries for varius reasons. And thus > you'll get used to bypassing that mechnism on a regular basis. > > Not to mention that "trusted" binaries may do way to much. For instance, > /bin/bash is a trusted binary on your Linux system. It is instealled > from a signed package. Yet chmod s+u /bin/bash is not such a grand idea. > In the authentication dialog you will see the command line which is requested, and if it's something like "/bin/bash rm -rf /" ignore it. Moreover I wouldn't allow bash to ask for permission leverage through the GUI at all. > Trusting any signed binaries sounds all too much like a generic sudo > line. It might be a good solution, but not for this problem. > > Again, look into the *Kit stuff, if sudo is not good enough for you. > Again, sudo is super. I even considered a using it on some windows machine which unfortunately lack this feature. It's the Ubuntu GUI for leveraging permisions which bothers me. I took a quick look of the *Kit stuff. I don't see immediately what ConsoleKit is doing, but indeed disabling any possibility to sudo through the GUI, and only running a package daemon is a nice step towards a better authentication scheme. However I don't see how is it a solution for the general problem of executing untrusted binaries in Desktop environment. > -- > Tzafrir Cohen | tzaf...@jabber.org | VIM is > http://tzafrir.org.il | | a Mutt's > tzaf...@cohens.org.il | | best > tzaf...@debian.org | | friend > > _______________________________________________ > Linux-il mailing list > Linux-il@cs.huji.ac.il > http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il >
_______________________________________________ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
