[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Open Xlock as root



Savochkin Andrey Vladimirovich wrote:
> Yes, X is a fundamentally broken idea from security point of view.
> All of attached processes shared common resources without boundary checks.  I
> remember an exploit showing that every application can snoop a text typed by
> user in any window.  I don't know the current state of X but I bet that
> almost any abuse which can be imagineed can be implemented.

I've heard people talk about special X window managers that maintain
some sort of manditory access control/compartmentalization between
different windows. I'm certain that none of the window managers
available under Linux today do this, but if this sort of policy is
something a window manager can enforce, then is X per se fundamentally
flawed? 

Pavel wrote:
> How can a trusted GUI agent make sure it talks to a trusted X server?
> How can a person at the terminal make sure he or her talks to a trusted
> GUI agent via a trusted X server?

I think the NSA paper I posted a link about the other day covers this in
its trusted path section (end of section 2).

[URL is about half way down this page:
http://csrc.nist.gov/nissc/1998/papers.html ]

The paper as a whole says that the OS must provide mechanisms like
trusted path to ever be able to overcome your concern here. What's not
clear to me is wheter the X-server is considered part of the OS in the
context of this paper or not. My current impression is that it is and
that I'm going to speculate that

  if we had a trusted path mechanism within X, and
  if we had support for marking applications (agents) as "trusted"
  then we could be certain of the above.

At present, we can't, so your questions do get to the heart of the
matter.

Ivan wrote:
> Even then, root compromise on one computer may open the whole system
> to the intruder if the privileged user's homedirectory lies
> on a distributed filesystem of any type. Once you have access to
> modification credentials for a few (milli)seconds, you can do a lot.

This reads like, within one network of systems if everyone implicitly
trusts everything, then no compromise is too small. That's why people
don't like NFS and why .rhosts files are unsafe to mention two obvious
problems.

And I can't agree more. However, is there anything we can do with PAM's
infrastructure to improve this situation? What OS support is missing?

Cheers

Andrew



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []