Re Kubuntu 64bit, several issues

Daniel Stone daniel at fooishbar.org
Sun Aug 14 21:48:09 CDT 2005


On Sun, Aug 14, 2005 at 08:54:52PM +0100, Tristan Wibberley wrote:
> That's what I was asking for in my original post, protection against
> that. The X server is started from a known place and I'd like to be able
> to force gnome-session or KDE from a known place, which will only start
> gnome-panel from a known place, which will only start gksu from a known
> place.

So, if I was a Trojan, I'd still steal all your keystrokes from the X
session, then, once I had your root password (fairly trivial to work out
which keystrokes came from which window, so I could certainly piece
together your password for sudo from the long steady stream of typing),
I could just do this:
	* run a program which displayed over the screen, an image of the
	  windows I wanted you to see, and passed through your keystrokes
	  and clicks.
	* in the background, in a hidden window, click through to start
	  gksudo, in a hidden window, and fake the keystrokes to your
	  passphrase, at which point I now have root.
	* obtain a backchannel to my root shell, close down the nice
	  little façade, and hope you didn't notice.

> And similarly for login starting bash and bash starting sudo. If
> that path can be secured, then the whole path to escalation of
> priviledges for administrative tasks can be secured (or at least a
> couple of secure routes provided).

Actually, it can't.  If someone has access to your account, then they
can just do something hillarious like wrap ls through LD_PRELOAD or
something, and invoke a separate shell which does some very, very nasty
things.

> At the moment there is no way to do
> that (eg, PATH can be altered by the user, aliases can be set). But if
> the system bash (and other routes to running sudo) can be assured -
> which I think they can - then sudo becomes safe even in the face of a
> user account compromise.

So you're suggesting that alias and PATH support be disabled?

> What would be nicer still is if terminal emulators and the X server
> could provide a different display when a known binary is asking for
> privileged information in a secure manner (a display that they cannot be
> asked to produce in any other way). So you can see at a glance if you
> are in a secure environment when you're prompted for your password.

So gnome-terminal and the X server[0] suddenly gain knowledge of all the
applications that are in this web of trust, and find some way to
authenticate them?

> > It is a tradeoff; if you prefer to administer your system this way, simply
> > set a root password and remove yourself from the admins group.
> 
> I'd prefer to do it with sudo, but it currently isn't safe to browse the
> internet from the same user account since there is no way to know that
> you are giving your password to sudo or an attacker. I was posting to
> see if there is a way to secure it (which I think there is - that is to
> provide a way to know that you are not running a trojan).

Similarly, there is no way to know that 'su' is not trojaned.  There is
no way to know that there's not a hardware keylogger embedded in your
keyboard, because I assume that you have not considered physical
security.

Put it this way: if you were running a business, and I wanted all the
lowdown on you because I was an unethical competitor, it would be much
easier to break into your house and either steal your computer (if I was
overt), or do something like embed a hardware keylogger in your keyboard
(if I was sneaky), than to somehow compromise your machine over the
network, and then write something that stole your X display and logged
the keys there.

Oh, yeah, and did I mention that you could wrap your gnome-terminal in
a fake libX11, libgtk, whatever, which intercepted all events before
it sent them over the wire fairly trivially?

While I understand your concerns, I'd like to reiterate the point I've
made earlier -- if they have access to your account, you've already
lost.  You're running a fake Firefox, which reports back all information
entered into forms at https://olb.westpac.com.au or whatever, you're
running a gnome-terminal that sends me back all the keystrokes after
you've typed in 'sudo', you're running a gksudo that ... hey, wait, that
isn't quite gksudo -- you get the idea.

Cheers,
Daniel

[0]: Actually, this would almost certainly have to be in the realm of the
     window manager or compositing manager, in which case you have to
     bring them into this amazingly complex chain of trust ...



More information about the ubuntu-devel mailing list