Re Kubuntu 64bit, several issues

Ewan Mac Mahon ewan at macmahon.me.uk
Sun Aug 14 16:39:48 CDT 2005


On Sun, Aug 14, 2005 at 08:54:52PM +0100, Tristan Wibberley wrote:
> Matt Zimmerman wrote:
> > On Sun, Aug 14, 2005 at 06:05:44PM +0100, Tristan Wibberley wrote:
> > 
> > No.  Consider that if your user account is compromised, you can't even be
> > sure that you are running su or sudo, and not a trojan.
> 
> That's what I was asking for in my original post, protection against
> that. The X server is started from a known place and I'd like to be able
> to force gnome-session or KDE from a known place, which will only start
> gnome-panel from a known place, which will only start gksu from a known
> place. And similarly for login starting bash and bash starting sudo. If
> that path can be secured, then the whole path to escalation of
> priviledges for administrative tasks can be secured (or at least a
> couple of secure routes provided). At the moment there is no way to do
> that (eg, PATH can be altered by the user, aliases can be set). But if
> the system bash (and other routes to running sudo) can be assured -
> which I think they can - then sudo becomes safe even in the face of a
> user account compromise.
> 
Well, you sort-of could; but only by locking down the entire system. You
might manage something like this with SELinux, and there is (or possibly
was - I'm not sure if it's been kept current) the DigSig[1] kernel patch
that will only run signed binaries, so you know you're running and
approved copy of sudo and not an imposter.

Use of either approach only works by locking out everything and then
making exceptions for 'good' things; there's no way to allow the user
much flexibility and only block 'bad' things.

> What would be nicer still is if terminal emulators and the X server
> could provide a different display when a known binary is asking for
> privileged information in a secure manner (a display that they cannot
> be asked to produce in any other way). So you can see at a glance if
> you are in a secure environment when you're prompted for your
> password.
That would indeed be nicer, but it just can't be done without banning
all unauthorised programs, including shell scripts. If there's any way
for one program running as you to produce that display then another
program running as you can just do the same.

> >>Otherwise there is little point to requiring proof that a user
> >>running sudo synaptic is the real user. 
If you're going to be like that there's no point in any of this; someone
can just walk up to your PC and boot it with a LiveCD or steal the hard
disk. Security isn't about making attacks impossible, because you can't,
it's about making it more bother than it's worth.

Ewan

[1] <http://disec.sourceforge.net/>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.ubuntu.com/archives/ubuntu-devel/attachments/20050814/b1612755/attachment.pgp


More information about the ubuntu-devel mailing list