PolicyKit and malware, was: What I HATE about F11

[David Zeuthen]

Hi,

(I'm not subscribed to fedora-devel so if you want replies from me don't
remove me from the Cc.)

On Tue, 2009-06-23 at 12:27 -0400, Kevin Kofler wrote:
> David Zeuthen wrote:
> > Anyway, the goal of PolicyKit isn't to fix the "cope with malware in
> > your session" problem. That problem is much much harder to fix and it
> > requires us to depart from the model where the whole user session is a
> > single security context.
> 
> Then why does it prompt for authentication at all? It could just as well
> just let the user do everything without a password, he/she's already
> authenticated due to the login. Prompting for passwords again makes sense
> to protect against malware, but what else? Users who left their desktop for
> a while? It's their responsibility to lock the desktop.

Because it is desirable to verify that either

 1. The person in front of the system really is the logged-in user
    and authorizes an action

 2. The person in front of the system really is an administrator

An example where 1. is useful includes, funny enough, a last guard
against having malware dial 1-900 numbers in other countries at $50 per
hour - e.g. NetworkManager should only allow connections previously
marked as trusted to use the modem to dial out.

(OK, so having malware in the first place is bad... having it cost you
$50/minute because someone wasn't thinking right when designing the OS
is even worse. So this guard really is warranted. Notably Windows has
suffered from this issue and it is naive to think that the Linux desktop
won't suffer from this once we get many more users than the 1% of the
market we have right now.)

An example where 2. is useful includes lockdown - e.g. as a head of
household you may restrict other users from installing new software
while still allowing them to update existing software providing it is
signed. So you ask for administrator authentication.

There are many other examples. Just use your imagination.

      David