[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ayatana] [Fwd: Re: Update manager] - a secure way to ask for information



On 16/06/2009 Paulo J. S. Silva wrote:
Thinking a little bit more about Vincenzo suggestion. It is not clear to
me how the application that is asking for root access can present some
information that is only readable by root. Anyhow, this is a security
problem and maybe we are getting off topic here.



Well, this is not meant to protect you from people in the same room, for that there is your password. It's meant to protect you from worms. The sudo program can become root to read such a file and present it. And no standard executable can do that because you need the setuid bit. But I'd prefer somebody with experience in security talk about this.

It's not offtopic in my opinion as exactly this machinery could be used in the infamous popup to address the concern of many, but can be moved elsewhere or dropped if it has obvious flaws that I don't see.

Vincenzo