Visually authenticating windows (Re: Toshiba Satellite 4090CDT + sudo ideas)

Matt Zimmerman mdz at canonical.com
Thu Dec 23 18:19:48 CST 2004 

On Thu, Dec 23, 2004 at 04:47:28PM -0500, David Mandelberg wrote:

> Matt Zimmerman wrote:
> > I don't know of any way to do this, no.  It is an inherent weakness of the
> > security model used by su and sudo, that there are various ways to
> > "piggyback" on the user's escalated privileges, and thus gain root if the
> > user is compromised.
> It could be done by using one time keys stored as X properties of the window(s)
> running as root. To set or get a new one time key, you have to be root, and once
> a window uses the key, its invalidated for all other windows, and once that
> window is closed it's invalidated for all windows.
>
> The key file should have perms something like root:rootkey 0640.
> 
> The window manager could change the border if the key is valid for that window
> id (since the window manager couldn't read the key file, a sgid rootkey helper
> app or daemon run as group rootkey could be used that takes a key and window id
> on stdin/named pipe and outputs 0 or 1 on stdout/named pipe for valid or invalid).

A simpler approach would be to have the X server provide trusted
authentication information, since it can retrieve uid credentials via its
UNIX socket.

I didn't mean that this is impossible, only that I know of no way to
implement it using the existing infrastructure.  It would be within reason
for us to add support for such a mechanism to our standard window manager,
but not to standardize and develop the infrastructure from scratch.  This
seems like the sort of thing that would be good to discuss in the context of
freedesktop.org or a standards organization.

As you point out, there are some difficult issues to be resolved in order to
have windows which can be visually authenticated.

> Also, a kernel patch could be written that would execute /usr/bin/sudo -k
> (sudo -k makes sudo prompt you for the password the next time it's run)
> whenever a user executes a setuid 0 (in the kernel uid 0 is better than
> mapping root to 0) program. This would make life with sudo miserable for
> console junkies, but could be controlled with sysctl and/or /proc.

What would be the point of this?  It sounds unrelated to the window
appearance, and the kernel has no business interacting with sudo.

-- 
 - mdz

More information about the ubuntu-devel mailing list