On Mon, Jun 14, 2010 at 08:12:43PM +0300, Elazar Leibovich wrote: > The problem: > In the current workflow for desktop linux, you need to routinely leverage > the privilege of some GUI application. Those applications runs constantly in > the background and might prompt the user to take action. > We *want *those application to constantly run in the background and prompt > the user to take action. This is a good thing. > When the program asks the user to leverage its privileges, the standard > leverage dialog does not contain any verifiable information for who actually > asked to leverage its permissions. > That is, the only authentication method the user employ to verify he's > giving root privilege to the correct program are this program's visual look. > > However, this workflow enables a simple attack. The offending program would > change its look to look like a legitimate program, and ask the user to > leverage its permissions. The user has no way to know that he's leveraging > the permissions of a different program. > > This program can be solved in many ways, for instance: > 1) Allow the user to sudo only a limited set of software. > 2) Allow the user to sudo all programs, but do not allow any software to > prompt the user for extra permission. > But I'm not interested with extra limitations. I want to allow the user > sudo'ing whatever he wishes, to allow any program to prompt for extra > permissions, but still disallow a malicious software to disguise as a > legitimate software, and trick the user to give it extra privileges.
Define "malicious software". For instance, should a script that I wrote be considered "malicious"? A script that root wrote? > > How did Vista "solve" this problem? > When the a software prompts for extra permissions, the user see which > software asked for that, and if it's digitally the application's name and > author are displayed. > The user is expected to examine those details and allow the program to get > extra privileges if he wishes (software from sun? OK it's a java update, I > clicked on Firefox installer I expect software from Mozilla Foundation to > prompt for permissions, unsigned software is asking for permissions after I > clicked to update my Java - wow, that's alarming!). > Of course there are many problems with this approach (for instance let's > sign my malware for "the Sun Inc" instead of "Sun Inc"), but it's a good > first step. A certificate may serve to guarantee that the software indeed comes from a well-known vendor. But it says nothing about it being safe for running under sudo. Do I want to allow my users to run all the Sun programs? (and by extension: all Java programs, through a JVM) with root privs? This is a good(?) answer to a different question. -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il | | a Mutt's tzaf...@cohens.org.il | | best tzaf...@debian.org | | friend _______________________________________________ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
