Visually authenticating windows (Re: Toshiba Satellite 4090CDT
+ sudo ideas)
David Mandelberg
mandelbergd at eth0.is-a-geek.org
Thu Dec 23 20:37:24 CST 2004
Matt Zimmerman wrote:
> On Thu, Dec 23, 2004 at 04:47:28PM -0500, David Mandelberg wrote:
>
>
>>Matt Zimmerman wrote:
>>
>>>I don't know of any way to do this, no. It is an inherent weakness of the
>>>security model used by su and sudo, that there are various ways to
>>>"piggyback" on the user's escalated privileges, and thus gain root if the
>>>user is compromised.
[snip]
>>Also, a kernel patch could be written that would execute /usr/bin/sudo -k
>>(sudo -k makes sudo prompt you for the password the next time it's run)
>>whenever a user executes a setuid 0 (in the kernel uid 0 is better than
>>mapping root to 0) program. This would make life with sudo miserable for
>>console junkies, but could be controlled with sysctl and/or /proc.
>
>
> What would be the point of this? It sounds unrelated to the window
> appearance, and the kernel has no business interacting with sudo.
>
It addresses the 'inherent weakness of the security model used by su and sudo'
and the piggybacking issue. As for the kernel interacting with sudo, that was
just an example (sorry for not being clear), the actual program and arguments it
runs could be configured by /proc. The idea is just that it would prevent
hijacking of benevolent password storing or authentication without checking
credentials. A better way to do it would probably to prevent sudo from saving
auth info.
--
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GAT/CM$/CS>$/CC/IT$/M/S/O/U dpu s+:++ !a C++$>C+++$
UB+++>++++$L++++$*-- P+>++$ L+++(++++)$ E-(---) W+++>$ N(+) o? K-
w--(---) O? M V? PS++@ PE-@ Y+@ PGP++(+++)>$ t? 5? X? R tv--(-)
b++(+++)@ DI? D? G e->++++ h* r? z*
------END GEEK CODE BLOCK------
David Mandelberg
mandelbergd at eth0.is-a-geek.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://lists.ubuntu.com/archives/ubuntu-devel/attachments/20041223/91ddfb78/signature.pgp
More information about the ubuntu-devel
mailing list