On Thu, Apr 28, 2005 at 02:08:53PM -0400, William Hooper wrote:
> > In this case, some simple "don't do that" would have helped. But in the
> > case of the sort of tricks that work on Windows users ("But the e-mail
> > came from my friend!" "I wanted to see the funny animation it said was in
> > there!") can work on Linux users too.
> Only if you read your e-mail as root, which there is no reason to do.
I wasn't even thinking about that. I *was* thinking about this: the program
pops up a window which explains in an impressive way about how it needs root
access in order to optimally present video blah blah blah, or do some other
serious-sounding task, and actually asks for the root password. Maybe it
says "I need to install onto your system", and the user is *used* to giving
the root password for that to run system-config-packages.
Or, it changes the Gnome menu, so that when the user goes to run one of the
system-config programs and is prompted for the root password, the root
password is intercepted and silently used to compromise root (and on
success, the menu put back exactly as it was before).
So, reducing the situations where the typical user ever needs the root
password is one thing that can be done.
"Trusted computing" may also help here, since some of those ideas are
working at making sure that system prompts really are authentic system
prompts.
> > We need to *address* that, not just
> > say "this is approximately zero threat". Obviously education is part of
> > it. A more sophisticated SE Linux could be another.
> A more sophisticated SELinux would require a more sophisticated user to
> administer it. Catch-22.
Well, *that's* the place where it needs to be more sophisticated. The
current SE Linux is basically like assembly-language. It needs to be made
more understandable at a higher-level view -- and then more transparent.
--
Matthew Miller mattdm@xxxxxxxxxx <http://www.mattdm.org/>
Boston University Linux ------> <http://linux.bu.edu/>
Current office temperature: 78 degrees Fahrenheit.
