sudo without password

Florian Diesch diesch at spamfence.net
Thu Jun 15 01:17:35 UTC 2006 

Alan McKinnon <alan at linuxholdings.co.za> wrote:

> On Tuesday 13 June 2006 02:09, Florian Diesch wrote:
>> Alan McKinnon <alan at linuxholdings.co.za> wrote:
>
>> > Which raises the question: what _will_ work? I believe this
>> > question needs some attention and a solution now, before the
>> > malware problem hits Linux in a big way (which it surely will).
>>
>> As long as windows is such an easy target I don't think this will
>> happen.
>>
>> And malware needs critical bugs that aren't fixed for some time or
>> a bad user interface design that makes it easy to fool the user
>> about what's happening or make him ignore warnings. In both cases
>> Ubuntu is much better than windows
>
> Agreed, but Ubuntu is also not immune to this either. What started 
> this off was a question about could a trojan watch for the user 
> running sudo, then piggy back it while the ticket was still valid. 

This is quite easy, just add 
 while echo|sudo -S something_evil; do sleep 5; done
somewhere so it's executed by the window manager


> Now, I'm all for strong walls, but I'd like additional defenses if a 
> trojan does get through.

<nitpick>
The trojans are the goods ones, the bad ones are the Greek inside the
trojan horse.
</nitpick>

> Or put another way, the magic dwarf doors keep the 800 pound cave 
> troll out of Moria, but IF it does get through the door via the air 
> shaft I'd like a bit more firepower to hand than just Aragorn's sword

But do you really feel better if you have a magic ring that glows when a
troll grunts and offers you to stop the troll grunting?


>> > We know that popup dialogs ala ZoneAlarm are better than nothing,
>> > but
>>
>> IMHO they are much worse than nothing as they interupt people's
>> work and teach them to click on everything that's not fast enought
>> to go away.
>>
>> Most normal users just don't have the knowledge to decide whether a
>> program should be allowed to open a network connection or listen to
>> incoming connections so they just say "Yes".
>>
>> If your system is infected by malware it's to late. The way to go
>> is to prevent the infection.
>
> I hear your logic but I think it's faulty. No defense is impenetrable, 
> and if it is penetrated, many users won't know about it. Additional 
> effort expended to contain possible damage once the defenses are 
> breached as a good thing imho.

Yes. But popping up some dialogs doesn't help much I think. But it
annoys the user and makes him to click on popups without reading or it
gives him the wrong impression that he has stopped the malware by
clicking on the "No"-Button.  

This is not a second line of defense, it's just some kind of intrusion
detection. The problem with every kind of IDS is that it requires the
user to know what's normal and what may indicate an intruder. An IDS is
a very useful tool for an advanced user but pretty useless Joe
Normaluser.

A better second line of defense may be using some kind of jails for
programs like web browsers or to give them very restricted privileges so
they can't access anything they don't need for doing their work.


>> > are easy to ignore. We know that Ubuntu can easily install a
>> > well-configured system suitable for a desktop, but the Achilles
>> > heel is stuff installed afterwards.
>>
>> People should know that it may be dangerous to install stuff from
>> obscure sources. They should know that most of the software they
>> want is available from their distribution.
>
> Requiring that is like asking them to take ZoneAlarm seriously and 
> read all the dialogs for ever more. You can't have it both ways, if 
> they ignore the firewall they will ignore your warnings about not 
> installing trusted programs. I their friend Joe sends them a trojan 
> in a email, they will install it. Why because? Because Joe is 
> *trusted* therefore the software he sent must be trusted, right?

So if the user is the weak link your security model should not depend on
asking the user questions. If you don't want to allow every program to
open network connections use SEL or similar that allows you to control
this. 

Of course this can't prevent a program from *sending* information as for
this it can just use a program the user works with, maybe by installing
a malicious firefox extension.


> Us geeks find this hard to grok, as the user makes assumptions that we 
> think are idiotic. I talked to a bunch of users once about this and 
> realized that very few of them had ever considered that the computer 
> could be running trojan code in the background. Their viewpoint: "How 
> can the computer possibly be sending out 10,000 spam emails a day? I 
> didn't click on anything that sends mail!"

I do know enough "just office and internet" users to know that security
has to work without asking them questions they don't understand. 

My mother is pretty good in using email and word (when she started to
use a computer a few years ago Linux just wasn't ready for her) but
every time something unexpected happens my phone rings.



IMHO good usability means not to ask questions unless it's really
necessary (or the users wants to be asked).


   Florian
-- 
<http://www.florian-diesch.de/>

More information about the ubuntu-users mailing list