Re: More desktop security thoughts (was Re: GNOME privilege library)

From: Mike Hearn <mike navi cx>
To: desktop-devel-list gnome org
Subject: Re: More desktop security thoughts (was Re: GNOME privilege library)
Date: Fri, 14 Jan 2005 22:22:55 +0000

On Fri, 14 Jan 2005 16:10:28 -0500, Havoc Pennington wrote:
> If you presuppose that we can't modify the OS or any apps, then no you
> can't get this right (and we can debate which wrong answer is least
> bad).

It's not so much stuff that's already written, it's stuff that will be
written in the future as well. I don't think a solution based on only
allowing RPM to install software will work (on the grounds that people who
don't ship RPMs today have very valid reasons for doing that).

> But I don't think FC3 has *that* much work remaining to have it right,
> with the new NetworkManager/printing/HAL approach of no-root-by-default,
> and SELinux available to fine-tune access, among other things. D-BUS
> helps a lot too because you can create a program that is partially
> system daemon and partially user app.

Yes, you can continue splitting the code that really does need root out
into separate processes mediated by DBUS. 

Some apps can't be split (like the Dungeon Siege example): in that case I
think the architecture you want is to have those programs suid root +
SELinux restrictions to sandbox them back down to the level they need.

I guess what I've been arguing is simply that when it works a fully MAC
based security system has higher usability (in a home environment),
because it's fully automatic and doesn't overload the concept of user
identities. So if that's the direction we're heading in then GNOME
shouldn't need to care about authentication at all, because in a MAC based
distribution procman will have the right level of privs to kill or renice
any process anyway (but not to write files anywhere).

>>  And it's not any more
>> secure against malware because it's trivial to synthesise RPMs at
>> runtime then "install" them to get any effect you like. In other words,
>> you might as well just let any user scribble over /usr at will.
> 
> Enforcing signatures (or at least making it really annoying and hard to
> bypass them as Windows does) is the only way to be secure with software
> installation that I know of...

Right now we don't have anywhere near the level of infrastructure needed
to do such a thing, it'd need at least a new CA tree and you'd have to
figure out what to do about 3rd party installers ... long term yeah this
does seem to be the way forward though I think security-by-annoyance is
fundamentally broken. It'd have to be at most an advisory.

It's also really easy to screw up. My MP3 player tells you to ignore the
driver signature warnings because the manufacturers didn't want to wait
for WHQL to certify their drivers (because it takes months etc). 

thanks -mike

References:
- GNOME privilege library
  - From: Sean Middleditch
- More desktop security thoughts (was Re: GNOME privilege library)
  - From: Mike Hearn
- Re: More desktop security thoughts (was Re: GNOME privilege library)
  - From: Havoc Pennington
- Re: More desktop security thoughts (was Re: GNOME privilege library)
  - From: Mike Hearn
- Re: More desktop security thoughts (was Re: GNOME privilege library)
  - From: Havoc Pennington

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]