Re: More desktop security thoughts (was Re: GNOME privilege library)

From: Havoc Pennington <hp redhat com>
To: Mike Hearn <mike navi cx>
Cc: desktop-devel-list gnome org
Subject: Re: More desktop security thoughts (was Re: GNOME privilege library)
Date: Fri, 14 Jan 2005 16:10:28 -0500

On Fri, 2005-01-14 at 14:38 +0000, Mike Hearn wrote:
> > So anytime you have to auth as root it's pretty much a bug as far as I'm
> > concerned. But just setting all uids to 0 is equally dumb because it
> > gives you a lot of capabilities you don't need which leads to broken
> > systems and malware.
> 
> Are you sure they're not needed? Eg being able to install software
> basically implies being able to arbitrarily modify nearly any system
> setting. Oh sure you can say "only RPM can install software", but 3rd
> party ISVs like game developers will still produce Loki Setups and the
> like so you'll end up with software dumped in $HOME.

If you presuppose that we can't modify the OS or any apps, then no you
can't get this right (and we can debate which wrong answer is least
bad).

But I don't think FC3 has *that* much work remaining to have it right,
with the new NetworkManager/printing/HAL approach of no-root-by-default,
and SELinux available to fine-tune access, among other things. D-BUS
helps a lot too because you can create a program that is partially
system daemon and partially user app.

>  And it's not any more
> secure against malware because it's trivial to synthesise RPMs at runtime
> then "install" them to get any effect you like. In other words, you might
> as well just let any user scribble over /usr at will.

Enforcing signatures (or at least making it really annoying and hard to
bypass them as Windows does) is the only way to be secure with software
installation that I know of...

> Here's another example: Linux only lets root processes raise their thread
> priorities. That makes sense on a server but it's an appcompat problem on
> the desktop because Win32 apps sometimes assume they can do this and break
> in subtle ways if they can't. So now Lucy has to run Dungeon Siege via
> sudo or whatever.
> How many other examples are there of random stuff like beeping the
> speaker which need root today? I don't know. But probably lots.

We have to fix the bugs correctly in my opinion. It's easier today than
it will be in two years. Windows XP SP2 was *not* easy for them to do.

Havoc

Follow-Ups:
- Re: More desktop security thoughts (was Re: GNOME privilege library)
  - From: Mike Hearn

References:
- GNOME privilege library
  - From: Sean Middleditch
- More desktop security thoughts (was Re: GNOME privilege library)
  - From: Mike Hearn
- Re: More desktop security thoughts (was Re: GNOME privilege library)
  - From: Havoc Pennington
- Re: More desktop security thoughts (was Re: GNOME privilege library)
  - From: Mike Hearn

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]