launchpad-dev team mailing list archive

Thread
Date

Re: Quickly and Launchpad

To: Leonard Richardson <leonard.richardson@xxxxxxxxxxxxx>, Didier Roche <didrocks@xxxxxxxxxx>
From: James Westby <jw+debian@xxxxxxxxxxxxxxx>
Date: Wed, 07 Jul 2010 17:49:50 -0400
Cc: launchpad-dev@xxxxxxxxxxxxxxxxxxx
In-reply-to: <1278538631.10320.29.camel@remora>

On Wed, 07 Jul 2010 17:37:11 -0400, Leonard Richardson <leonard.richardson@xxxxxxxxxxxxx> wrote:
> A client like Quickly would need to ask for, and be granted,
> WRITE_SECURITY_SENSITIVE to function properly.

Well, it could request the extra permission as needed, with an
automatically expiring token, leaving it with just WRITE_PUBLIC
for the majority of the time. It still gets the extra permissions, but a
dangerous token isn't alive for too long.

I don't even have to get you to grant WRITE_SECURITY_SENSITIVE to my app
to take exploited the new facilities, given the current way these things
are handled.

I can write some code that simply reads the token from
~/.launchpadlib/credentials/quickly and attempts to use it to add a new
GPG key if you are in ~ubuntu-core-dev, and so gets a secret key that
can sign packages that can end up on millions of machines. A very
tagetted attack like that would hard to prevent, because there is clearly a
lot of desire. However, as one of the people that could be exploited in
this manner I am wary of anything that makes it possible.

Thanks,

James

Follow ups

Re: Quickly and Launchpad
From: Leonard Richardson, 2010-07-12

References

Quickly and Launchpad
From: Didier Roche, 2010-06-15
Re: Quickly and Launchpad
From: Leonard Richardson, 2010-07-07