Re: security policy / root passwords
On 10/06/13 12:34, Daniel Pocock wrote:
> a) a web site displaying a "PolicyKit" popup that resembles the wording
> of the Debian popup
GNOME Shell does mitigate this by using a distinctive UI for
"system-modal dialogs", which makes use of the fact that the Shell is
the window compositor in order to dim the rest of the screen:
<http://people.gnome.org/~halfline/power-off-dialog.png>
That's the "power off" dialog, but PolicyKit prompts are similar. Notice
that everything outside the dialog is desaturated and darker than usual.
I would hope that web browsers don't have that level of control over the
system's appearance (going to full-screen is the closest they could get,
and they'd still have to reproduce a darkened form of the entire screen
contents somehow).
> b) an X window compromise that allows an attacker to display a popup
> (although such compromises often give the attacker the ability to
> monitor keystrokes and obtain passwords in other ways)
I don't know whether a client with X access would be able to emulate a
system-modal dialog more closely; it might be able to do tricks with
screenshots? As you say, input logging is probably more of a concern here.
S
Reply to: