Re Kubuntu 64bit, several issues

Tristan Wibberley maihem at maihem.org
Sun Aug 14 17:55:49 CDT 2005


Ewan Mac Mahon wrote:
> On Sun, Aug 14, 2005 at 08:54:52PM +0100, Tristan Wibberley wrote:

>>What would be nicer still is if terminal emulators and the X server
>>could provide a different display when a known binary is asking for
>>privileged information in a secure manner (a display that they cannot
>>be asked to produce in any other way). So you can see at a glance if
>>you are in a secure environment when you're prompted for your
>>password.
> 
> That would indeed be nicer, but it just can't be done without banning
> all unauthorised programs, including shell scripts. If there's any way
> for one program running as you to produce that display then another
> program running as you can just do the same.

I would expect that anything I should be giving a password to that
escalates my privileges would be setuid, thus itself privileged and able
to do something that an attacker cannot do whilst also snooping for my
password.

> 
>>>>Otherwise there is little point to requiring proof that a user
>>>>running sudo synaptic is the real user. 
> 
> If you're going to be like that there's no point in any of this

Be like what? Here's the context:

Me:
>>>>>>Something I'm concerned about sudo, and this is relevant for su
>>>>>>also. If my user account is compromised, an attacker that gets to
>>>>>>run a program locally through, say, a zlib bug, could alias sudo
>>>>>>to grab my password, unalias sudo, then fail. [...]

Daniel Stone:
>>>>>If someone has access to your account, then you've already lost.
>>>>>They can keylog everything.

Me:
>>>>Surely when running su and sudo, the console input is protected from
>>>>keylogging? Otherwise there is little point to requiring proof that
>>>>a user running sudo synaptic is the real user.

And that, I believe, is true. If, when running sudo (a setuid binary)
your password can be snooped, an attacker only needs to run a program on
your computer as you type and they can install and run any arbitrary
software as root (if you can run sudo synaptic). That is not very
difficult (especially for other users with accounts - which is where the
hindrance that sudo provides has its strongest effect as they will find
it easiest to be in a position to do that). So if you *could* snoop
sudo, there would indeed be little point to requiring proof of identity
(via the snoopable password). However, my fear in that respect has been
shown to be unfounded since, once you have run a real system sudo
binary, the password cannot be snooped.

That narrows my concerns to being able to know that my password is going
only through known system binaries which, as has been demonstrated to me
in another post, must not be running as my user (else they can be
altered/snooped). That restriction on which uid they are running as is
reasonable since they are providing controlled privilege escalation
services and have to be privileged themselves.

Then I think you would need only the terminal emulators (or relevant
parts thereof) and the X server to be privileged, running as a different
user, or otherwise unsnoopable. In the first two cases, the binaries are
known to be system binaries (else they couldn't be privileged or running
as a different user), in the last case one would need a mechanism to be
sure they are part of the installed distro.

-- 
Tristan Wibberley

Opinions expressed are my own and do not necessarily coincide with those
of my employer, etc.




More information about the ubuntu-devel mailing list