[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: security policy / root passwords



On 10/06/13 10:21, Alexey Serikov wrote:
> A few points:
>
> 1) if your user is part of sudo group, most of the time gnome will ask
> for your user's password instead of root's.
> 2) Debian is a finite set of software. It provides packages (literally
> thousands of them) that are stable, safe and malicious pop-ups free.
> It also provides packages enabling user to run software that cannot be
> found in Debian's pool (and is potentially unsafe) in a safe,
> virtualized environment (qemu and stuff).

The potential phishing attack would be likely to take one of two forms:

a) a web site displaying a "PolicyKit" popup that resembles the wording
of the Debian popup

b) an X window compromise that allows an attacker to display a popup
(although such compromises often give the attacker the ability to
monitor keystrokes and obtain passwords in other ways)

There is no suggestion that any existing package contains a malicious popup.

> 3) xfce needs less root
> 4) asking a user to open up a console and type their root's password
> there will add unnecessary complexity while enforcing a security
> mechanism like selinux will be a pain. Please leave it be.
>

pain means the user thinks about what they are doing and follows a
pre-defined procedure that is known to be relatively secure

The real issue here is not about the technical quality of the popup or
whether the package "works" or not, it is about the potential for this
type of workflow to condition users into a mindset of trusting popups
that makes a percentage of users more likely to be caught by a phishing
attack.



Reply to: