unity-design team mailing list archive

Thread
Date

Re: [Fwd: Re: Update manager] - a secure way to ask for information

To: "Paulo J. S. Silva" <pjssilva@xxxxxxxxxx>
From: Vincenzo Ciancia <ciancia@xxxxxxxxxxx>
Date: Tue, 16 Jun 2009 15:45:33 +0200
Cc: ayatana@xxxxxxxxxxxxxxxxxxx
In-reply-to: <1245158087.19300.11.camel@catirina>
Organization: Dipartimento di Informatica
User-agent: Thunderbird 2.0.0.21 (X11/20090318)

On 16/06/2009 Paulo J. S. Silva wrote:

Thinking a little bit more about Vincenzo suggestion. It is not clearto

me how the application that is asking for root access can present some
information that is only readable by root. Anyhow, this is a security
problem and maybe we are getting off topic here.

Well, this is not meant to protect you from people in the same room, forthat there is your password. It's meant to protect you from worms. Thesudo program can become root to read such a file and present it. And nostandard executable can do that because you need the setuid bit. But I'dprefer somebody with experience in security talk about this.

It's not offtopic in my opinion as exactly this machinery could be usedin the infamous popup to address the concern of many, but can be movedelsewhere or dropped if it has obvious flaws that I don't see.


Vincenzo

Follow ups

Re: [Fwd: Re: Update manager] - a secure way to ask for information
From: mac_v, 2009-06-16

References

[Fwd: Re: Update manager]
From: Paulo J. S. Silva, 2009-06-16
Re: [Fwd: Re: Update manager]
From: mac_v, 2009-06-16
Re: [Fwd: Re: Update manager] - a secure way to ask for information
From: Vincenzo Ciancia, 2009-06-16
Re: [Fwd: Re: Update manager] - a secure way to ask for information
From: Paulo J. S. Silva, 2009-06-16