On Fri, 2013-09-13 at 11:23 +0300, Oron Peled wrote: > On Friday 13 September 2013 01:51:00 drago01 wrote: > > On Fri, Sep 13, 2013 at 1:26 AM, Oron Peled <oron@xxxxxxxxxxxx> wrote: > > > - This means that any privileged service controlled by GUI client (e.g: > > > NetworkManager) is still only as secure as it's controller (e.g: > > > nm-applet). > > This is wrong. That's not how "controlling the service" works. > > Care to explain? > * Let's assume someone exploit a buffer overflow in nm-applet to execute > arbitrary code. > > * Now she can ask (over dbus) from NM to do "legitimate" operations without > the user consent/knowledge -- e.g: connect to some random-joe wireless > network, etc. (btw, the user can still discover the truth via other > client which isn't subverted -- like nmcli, the kde widget, etc.) nm-applet can certainly *ask* NetworkManager to do something. Depending on the policy that an administrator has set, NetworkManager will ask the user to authorize the request via PolicyKit. Only if the request is authorized, will that request be granted. If your user must authorize before you can obtain the ModifySystem and ModifyOwn permissions, then no, nm-applet can't ask NetworkManager to connect to malicious networks unless that trojan also somehow subverts PolicyKit. Dan -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
