[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ayatana] [Fwd: Re: Update manager] - a secure way to ask for information

To: "Paulo J. S. Silva" <pjssilva@xxxxxxxxxx>
Subject: Re: [Ayatana] [Fwd: Re: Update manager] - a secure way to ask for information
From: Vincenzo Ciancia <ciancia@xxxxxxxxxxx>
Date: Tue, 16 Jun 2009 15:45:33 +0200
Cc: ayatana@xxxxxxxxxxxxxxxxxxx
In-reply-to: <1245158087.19300.11.camel@catirina>
List-archive: <http://lists.launchpad.net/ayatana>
List-help: <https://help.launchpad.net/ListHelp>
List-id: <ayatana.lists.launchpad.net>
List-owner: <https://launchpad.net/~ayatana>
List-post: <mailto:ayatana@lists.launchpad.net>
List-subscribe: <https://launchpad.net/~ayatana>
List-unsubscribe: <https://launchpad.net/~ayatana>
Organization: Dipartimento di Informatica
References: <1245111798.30211.23.camel@trinity> <4A373744.70805@yahoo.com> <4A376D38.2000402@di.unipi.it> <1245158087.19300.11.camel@catirina>
User-agent: Thunderbird 2.0.0.21 (X11/20090318)

On 16/06/2009 Paulo J. S. Silva wrote:

Thinking a little bit more about Vincenzo suggestion. It is not clearto

me how the application that is asking for root access can present some
information that is only readable by root. Anyhow, this is a security
problem and maybe we are getting off topic here.

Well, this is not meant to protect you from people in the same room, forthat there is your password. It's meant to protect you from worms. Thesudo program can become root to read such a file and present it. And nostandard executable can do that because you need the setuid bit. But I'dprefer somebody with experience in security talk about this.

It's not offtopic in my opinion as exactly this machinery could be usedin the infamous popup to address the concern of many, but can be movedelsewhere or dropped if it has obvious flaws that I don't see.


Vincenzo

Follow-Ups:
- Re: [Ayatana] [Fwd: Re: Update manager] - a secure way to ask for information
  - From: mac_v

References:
- [Ayatana] [Fwd: Re: Update manager]
  - From: Paulo J. S. Silva
- Re: [Ayatana] [Fwd: Re: Update manager]
  - From: mac_v
- Re: [Ayatana] [Fwd: Re: Update manager] - a secure way to ask for information
  - From: Vincenzo Ciancia
- Re: [Ayatana] [Fwd: Re: Update manager] - a secure way to ask for information
  - From: Paulo J. S. Silva

Prev by Date: Re: [Ayatana] Fwd: Getting users to care (was Re: [Fwd: Re: Update manager])
Next by Date: Re: [Ayatana] Fwd: Getting users to care (was Re: [Fwd: Re: Update manager])
Previous by thread: Re: [Ayatana] [Fwd: Re: Update manager] - a secure way to ask for information
Next by thread: Re: [Ayatana] [Fwd: Re: Update manager] - a secure way to ask for information
Index(es):
- Date
- Thread