On Tue, 2009-11-24 at 14:22 -0500, Peter Jones wrote: > On 11/23/2009 07:01 PM, Gregory Maxwell wrote: > > On Mon, Nov 23, 2009 at 6:43 PM, Jesse Keating <jkeating@xxxxxxxxxxxxxxx> wrote: > >> This is precisely the dialog that has been removed from F12 and is not > >> planned to be returned. > > > > My understanding was that this was removed because collecting the root password > > during a user session is insecure because there could be a sniffer or the dialog > > could be faked. > > That reason isn't /quite/ right. One big problem is that if you train a > user to input the root password over and over, what he learns is to type > the root password into a dialog box. The result is that when some > non-privileged application asks for the root password so it can do bad > things with it later, the user will type in the root password, and voila, > a local attack against a user is now a root exploit. Sure, that's _a_ problem ... assuming the user has been trained. But that's a _big_ assumption, esp. when we are only talking about installing _new_ packages (doesn't happen often, so the user isn't trained to accept it). But, of course, taking advantage of a user trained to input a password without thinking is not the only attack ... another area of attack would be when you have an assumed small privilege escalation, that has no authentication (hence this thread). > The way around this is role-based privileges, which is what polkit is > implementing In so far as "role-based privileges" is code for "can be configured to N number of actual checks, including the auth_as_root check we are comparing it against". Then sure, it has to be at least as secure as auth_as_root because it can be auth_as_root¹. But suggesting that whatever polkit is configured to use is automatically better than auth_as_root is, at best, misleading. Personally I don't think _anyone_ knows "how to make a usable and thus. in practice secure desktop". So some of the comments I've read saying basically "We know X is insecure, so we are now using Y which is secure/better" are not helping (in fact I'd suggest that this mindset is what lead to this problem initially). ¹ Noting that polkit force removed the "remember auth" option, for no particularly sane reason that I've seen ... so if that option turns out to be "the best" option, then role-based privileges has (at least currently) hurt security. -- James Antill <james@xxxxxxxxxxxxxxxxx> Fedora -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list