launchpad-dev team mailing list archive

Thread
Date

Re: Instead of authorizing individual applications against the Launchpad web service, let's authorize the Ubuntu desktop as a whole

To: Aaron Bentley <aaron@xxxxxxxxxxxxx>
From: Robert Collins <robert.collins@xxxxxxxxxxxxx>
Date: Fri, 24 Sep 2010 09:19:15 +1200
Cc: launchpad-dev@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4C9BAC94.90607@canonical.com>
Sender: robertc@xxxxxxxxxxxxxxxxx

On Fri, Sep 24, 2010 at 7:37 AM, Aaron Bentley <aaron@xxxxxxxxxxxxx> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/23/2010 03:27 PM, Robert Collins wrote:
>> My specific concerns here are:
>>  - will launchpad be safe for our System administrators to use?
>>  - will it be safe for our archive administrators to use?
>>  - will it be safe for any privileged user to use?
>>
>> AFAICT the answer is no; with the intended design satisfied any rogue
>> script can drive a tractor across all of launchpad as that user, and
>> *thats* why I put the breaks on.
>
> But Leonard makes the case that with the current design, this is also
> true, so there is no loss of security.  He also suggests that this is an
> inevitable consequence of Gnome's current design, and not something we
> can fix without significant changes to Gnome.

Its not true for the current design, so there is a loss of security. I
can, with the current design, have a highly privileged oauth token
that is never written to disk, or is encrypted and my app asks me to
decrypt it. Microsoft Windows suffered years of privilege escalation
and information disclosure attacks due to its one-security-context
model, and it would be a dire mistake to copy that approach.

We don't need to fix Gnome's design to avoid the issue with
Gnome-keyring: we can offer opt-in facilities for shared keys for
scenarios that make sense, and permit higher standards to be used
where desired and available.

That said, we should be working with Gnome on finding a good balance,
managing discretionary access, time limited keys, etc.

> Do you disagree with either of these?
>
> If these are true, then granting access to "Apport" is equivalent to
> granting access to "Ubuntu Desktop", but the latter makes the security
> implications clearer to users, and is therefore the most secure thing we
> can do without significant changes to Gnome.

Apport needs to be able to file a bug; it doesn't need to:
 - read existing bugs
 - read my ppa access keys
 - read the mailing list archives for private lists

But, today, given that users see just a 'APPNAME needs access, choose
the level', its hard for users to decide what level to give, nor the
implications of doing that.

As Kees says, security isn't a binary situation - we may need to make
compromises to strike an effective usability vs security balance.

-Rob

References

Instead of authorizing individual applications against the Launchpad web service, let's authorize the Ubuntu desktop as a whole
From: Leonard Richardson, 2010-09-23
Re: Instead of authorizing individual applications against the Launchpad web service, let's authorize the Ubuntu desktop as a whole
From: Robert Collins, 2010-09-23
Re: Instead of authorizing individual applications against the Launchpad web service, let's authorize the Ubuntu desktop as a whole
From: Aaron Bentley, 2010-09-23