On Friday 13 September 2013 01:51:00 drago01 wrote: > On Fri, Sep 13, 2013 at 1:26 AM, Oron Peled <oron@xxxxxxxxxxxx> wrote: > > - This means that any privileged service controlled by GUI client (e.g: > > NetworkManager) is still only as secure as it's controller (e.g: > > nm-applet). > This is wrong. That's not how "controlling the service" works. Care to explain? * Let's assume someone exploit a buffer overflow in nm-applet to execute arbitrary code. * Now she can ask (over dbus) from NM to do "legitimate" operations without the user consent/knowledge -- e.g: connect to some random-joe wireless network, etc. (btw, the user can still discover the truth via other client which isn't subverted -- like nmcli, the kde widget, etc.) * I don't claim this attack is easy, because the arbitrary code would have to hook into all relevant dbus callbacks for the wanted transaction to complete successfully, but I don't see any theoretical show-stopper. * IMO, all this just set some upper bound to our security expectations. Privilege separation of services into "controller-controlled" pair is an improvement over the previous state of affairs, but a "verified-good" controller can still become rogue during runtime due to a buffer overflow -- it than still have the same power it had before :-( -- Oron Peled Voice: +972-4-8228492 oron@xxxxxxxxxxxx http://users.actcom.co.il/~oron It's not the software that's free; it's you. - billyskank on Groklaw -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
