Re: security policy / root passwords
On Sun, Jun 09, 2013 at 07:41:34PM +0200, Daniel Pocock wrote:
> My feeling is that the user should be told "go and run sudo or su in a
> terminal window you opened manually"
>
> Otherwise, they can't be sure they are putting their password in a
> genuine Debian popup.
Please explain your threat model. From the discussion I am assuming that
it looks somewhat like this:
The attacker already has the privilege to execute arbitrary code as the
user account and wants to elevate that to root now.
How is su or sudo going to help here? Writing a key logging wrapper in
expect is a matter of 10 lines. The reason, that popups are used for
tricking users into revealing their password, is that there are so many
uses of these popups. Had everyone been using the terminal approach, the
story would have been the other way round.
If your account is compromised and you regularly use it to switch to
root (no matter how), then the best guess is that your system is
compromised as well.
In order to really escape from this issue, you need something
unforgeable. A certain OS from Redmond actually shows, how this can be
done. In some versions it would require the user to press
Ctrl-Alt-Delete before logging in, so forging the login screen was next
to impossible. So to really separate the user from the administrator,
administrative actions would need to be queued somewhere, then the user
needs to switch to an administrative account (doing something like the
key combo dance) and then process pending actions from that account.
Now is this really worth it?
Helmut
Reply to: