unity-design team mailing list archive

["Paulo J. S. Silva" <pjssilva@xxxxxxxxxx>]

mac_v,

You raised very interesting point that the possibility of applications
asking the user for root access without proving themselves as real
system applications is a security risk. However I do not think the orage
icon can solve this problem. It is true that a malicious application can
fake the update-manager window. But a malicious application can also
fake the orange icon or whatever notification approach we choose, as you
are assuming that the "virus" is already running application under user
privileges.

I believe that Vincenzo gave an interesting solution below. It is worth
some thought from the developers. But it is a different issue.

Paulo

Em Ter, 2009-06-16 às 12:00 +0200, Vincenzo Ciancia escreveu:
> On 16/06/2009 mac_v wrote:
> > In no way the system should decide what windows it can open...
> > If this is allowed it is only a matter of time before someone 
> > develops a
> > worm which uses this behavior and pops-up a window similar to the 
> > update
> > manager which also asks for the user password allowing the worm to 
> > take
> > control of the system using this password info.
> > *Is ubuntu only going to realize this security risk after someone*
> > *develops a proof of concept worm or a real virus* ?
> > If this is done linux will no longer be THE secure OS.
> > All windows in the window list should only be triggered by the user, 
> > all
> > other system process should only trigger a notification.
> 
> 
> Do you think it is easy to design a webpage that simulates such a 
> "password fraud"? I see a difficulty here due to having to dim the whole 
> screen to look like the standard password request, not that an user 
> would not enter it in any kind of pop-up.
> 
> On the other hand, I have an idea for a secure way to ask for user 
> input. In the installer, the user choses her own password, and the 
> "secret phrase" which will be written in a root-only accessible file. 
> This sentece will be shown to the user by the system when a password is 
> asked and will autenticate the system with the user. The user should 
> then be instructed not to enter his own password unless the right phrase 
> is seen. A random phrase may be suggested automatically from a huge list.
> 
> Vincenzo
> 
-- 
Paulo José da Silva e Silva 
Professor Associado, Dep. de Ciência da Computação
(Associate Professor, Computer Science Dept.)
Universidade de São Paulo - Brazil

e-mail: pjssilva@xxxxxxxxxx         Web: http://www.ime.usp.br/~pjssilva

Teoria é o que não entendemos o     (Theory is something we don't)
suficiente para chamar de prática.  (understand well enough to call
practice)