cross-platform virus

[Tristan Wibberley]

john wrote:
>> Do not use sudo -s. use sudo -i. sudo -s should be removed or at the
>> least documented that it should never be used.
>>
>> sudo -s runs your own .bashrc as root - yet your .bashrc is writable by
>> your own user account - which could be compromised by a firefox flaw, or
>> a flaw in your email program, etc...
> 
> But couldn't the attacker place something like alias "sudo=sudo -s #" in
> your .bashrc anyway? It seems that the only solution is to protect users
> from the software they run (e.g. Plash), rather than trying to stop trojans
> owning root after they have already owned administrator accounts.

Yes, I've raised this before. It requires modifications to
sudo/su/login/gksudo/X/getty and an unspoofable way to provide feedback
that input will go straight to one of sudo/su/login/gksudo and to
nowhere else. Perhaps, also, a SysRq combo can be passed through to come
out of secure mode and go back in again for accessibility.

The feedback method is still unsolved, but you could disable
manipulation of scroll lock by unprivileged programs, perhaps, and use a
flashing scroll-lock to indicate secure input mode. If you have an
on-screen-keyboard, though, there needs to be a region of the screen
that the X server won't allow unprivileged programs to write to. That
means the on-screen-keyboard will have to be privileged. This is all to
prevent the trusted processes being modified or snooped and allowing the
input handling programs to ensure input goes only to trusted binaries -
and letting them tell the user that the current input will be treated
securely.

-- 
Tristan Wibberley