Re Kubuntu 64bit, several issues

Tristan Wibberley maihem at maihem.org
Sun Aug 14 14:54:52 CDT 2005


Matt Zimmerman wrote:
> On Sun, Aug 14, 2005 at 06:05:44PM +0100, Tristan Wibberley wrote:
> 
> 
>>Surely when running su and sudo, the console input is protected from
>>keylogging?
> 
> 
> No.  Consider that if your user account is compromised, you can't even be
> sure that you are running su or sudo, and not a trojan.

That's what I was asking for in my original post, protection against
that. The X server is started from a known place and I'd like to be able
to force gnome-session or KDE from a known place, which will only start
gnome-panel from a known place, which will only start gksu from a known
place. And similarly for login starting bash and bash starting sudo. If
that path can be secured, then the whole path to escalation of
priviledges for administrative tasks can be secured (or at least a
couple of secure routes provided). At the moment there is no way to do
that (eg, PATH can be altered by the user, aliases can be set). But if
the system bash (and other routes to running sudo) can be assured -
which I think they can - then sudo becomes safe even in the face of a
user account compromise.

What would be nicer still is if terminal emulators and the X server
could provide a different display when a known binary is asking for
privileged information in a secure manner (a display that they cannot be
asked to produce in any other way). So you can see at a glance if you
are in a secure environment when you're prompted for your password.

> 
>>Otherwise there is little point to requiring proof that a user running
>>sudo synaptic is the real user. That is the point of sudo, I can do my
>>normal web browsing on my normal account and trust that an attacker can't
>>screw the system (bugs in the kernel or setuid programs excepted), if this
>>is not true administration shouldn't be available (or at least not
>>recommended) through sudo, you should log out and log into an
>>administration account that just has administration functions.
> 
> 
> It is a tradeoff; if you prefer to administer your system this way, simply
> set a root password and remove yourself from the admins group.

I'd prefer to do it with sudo, but it currently isn't safe to browse the
internet from the same user account since there is no way to know that
you are giving your password to sudo or an attacker. I was posting to
see if there is a way to secure it (which I think there is - that is to
provide a way to know that you are not running a trojan).

> 
>>Which makes me think of something else. The password caching of sudo is
>>supposed to be safe because the user that typed the password is expected
>>to still be nearby, which only helps when somebody is running sudo from
>>the console - if the attacker is running programs over the network a
>>cached password lets an attacker do stuff without anybody being able to
>>tell and without anything to stop it.
> 
> 
> That's why sudo (as configured by default in Ubuntu) only allows the cached
> ticket to be used on the same terminal.

Ah, great, that fear is unfounded then.

-- 
Tristan Wibberley

Opinions expressed are my own and do not necessarily coincide with those
of my employer, etc.




More information about the ubuntu-devel mailing list