Ubuntu Desktop Security Defaults

John McCabe-Dansted gmatht at gmail.com
Tue Mar 17 16:39:30 UTC 2009


On Mon, Mar 16, 2009 at 3:13 PM, Null Ack <nullack at gmail.com> wrote:
> * Having AppArmor actually protecting the desktop build rather than
> what seems as currently a false illusion of coverage with just CUPS
> being protected

The big problem with GUI apps, is that Xorg was not really designed to
be secure, so apps can take control of other apps via X's ability to
send/trap other applications keypresses etc. There is a "untrusted"
mode but it tends to break most existing applications.

Also IMHO, Plash is better suited to GUI apps than AppArmor. It can be
hard to develop a good AppArmor profile for Desktop apps, e.g. I may
choose to open /etc/passwd with OpenOffice. Since I may choose to open
any file with any virtually any application, AppArmor would be of
little use if we do not make questionable assumptions about what files
the user will want to open. Plash is better suited to desktop apps, as
it replaces the GTK file open dialog with a trusted dialog that passes
in the right to open the files the users selects (and only the files
the user selects).

> * Enabling UFW by default or some other firewall by default

I am not sure if this would help much until we protect desktop
applications from each other (above). Ubuntu already has a no open
ports. A firewall could theoretically prevent non-authorized software
from accessing the network, however I understand there currently a
number of ways of non-authorized software to hijack authorized
software. E.g. you would have to allow a bittorrent client to act both
a client and a server, and it would be hard for a firewall to tell
whether bittorrent was run with a weird LD_LIBRARY_PATH that caused
bittorrent to serve the malware.

> In my view the users want to feel secure in knowing that should a zero
> day exploit be identified, that AppArmor or SELinux or foo or whatever
> will trap the damage the exploited service can take beyond the
> standard user is not root UNIX setup.

Unfortunately, at this point the feeling of security would be likely
to be false, as there are currently ways for malware writers to bypass
the additional security that these could potentially bring to GUI
apps.

The good news is that AFAICT all we need is for Xorg to support a more
compatible "untrusted"-like mode so that we could use Plash to give
GTK apps real uncircumventable security, and non-GTK apps could easily
be adapted to use the GTK file chooser.
  http://plash.beasts.org/
(Optimizing Plash to the same extent as AppArmor wouldn't hurt either)

-- 
John C. McCabe-Dansted
PhD Student
University of Western Australia




More information about the Ubuntu-devel-discuss mailing list