Security of PolicyKit
memolus at googlemail.com
memolus at googlemail.com
Sat Jan 1 09:16:07 PST 2011
As far as I know:
* The authentication agent (e.g. PolicyKit-gnome) allows to enter a
password without being spoofed, provided that you've somehow verified
that it's the real dialog (a secure attention key, e.g. Ctrl+Alt+Del,
is not implemented). In contrast it's not able to prevent mouse click
emulation. The reason this is not possible yet is that it depends on
some work in the graphics stack being done. Therefore there's are no
passwordless buttons.
* If an graphical application has a certain non-one-shot permission,
any malware can control the GUI, until you "drop" the permission.
* Because policykit does not not run in a separate security context,
malware could hijack the authentication dialog and spoof the text in
the dialog - thus tricking the user into install things that are not
desired.
The long-term is:
* Authentication agent in a separate security context
* A secure attention key for non-consumer setups
* Yes/no dialogs are possible, but not explicitly planned
* You will have a look at further ideas, if you've got the separate
security context and all that "jazz"
Is that right?
Is there any process on the graphic stack, the X server and SeLinux?
More information about the polkit-devel
mailing list