Hi everyone! I would like to discuss the automatic update policy in Ubuntu. Currently, the options are

(1) Install without notification
(2) Download in background
(3) Only notify

Imho, there is a major security issue with the last two. A user gets prompted to install updates almost every other day lately, and the problem is, he has to enter his password every time, and he is not the one who initiates the privilege escalation. It would be easy for an attacker to write a user-land program which mimics the automatic update reminder and gets the root.

It is simply wrong to periodically remind the user to gksu. Any such process can be impersonated by a malicious user-land program. In the case with OS updates, there should be the fully automatic option as well as a fully manual option. The middle ground is dangerous.

Let me know what you think!

A user program could also place some .desktop files to override the menu options in the Administration menu, and change it so the gksudo prompt launches its own binary instead of the correct one (or even to launch both so you don't even notice). A user program can also create a binary named su in your ~/bin folder, and intercept calls to sudo.

There's a good deal of things programs on an admin account can do to try to get you to sudo them up to root.


It all comes down to this: don't run programs you don't trust on an admin account.

Hi everyone! I would like to discuss the automatic update policy in Ubuntu. Currently, the options are

(1) Install without notification
(2) Download in background
(3) Only notify

Imho, there is a major security issue with the last two. A user gets prompted to install updates almost every other day lately, and the problem is, he has to enter his password every time, and he is not the one who initiates the privilege escalation. It would be easy for an attacker to write a user-land program which mimics the automatic update reminder and gets the root.

It is simply wrong to periodically remind the user to gksu. Any such process can be impersonated by a malicious user-land program. In the case with OS updates, there should be the fully automatic option as well as a fully manual option. The middle ground is dangerous.

Let me know what you think!

Welcome to recurring discussions.

I think your argument is circular, how would such an application get on the system ?

Welcome to recurring discussions.

I think your argument is circular, how would such an application get on the system ?


##Option One:
Everything is marked as "trustworthy upgradable" become upgraded by default, with only "yes, upgrade" and no password required.

Automatic marked of "trustworthy upgradeable" will be everything come with system-installation. If something get remove (let's say bluez packages with all it's dependencies) it lost this mark.

When install new software (you *must* use password) synaptic would perform a question on successfully ended installation: "Would you like to set this package in the system upgrade" (mark as "trustworthy upgradeable")


Advantage: only few package will remain "outside" (the user (with sudo powers) is free to choice which are the package. mostly piece of software have own icon.. so the attacker should also "guess" what application is out of the "box" of the "trustworthy applications". An "alien" icon (a software not installed, or well know icon in the "trustworhty box" ) should arise suspect in the user.


####Option 2:

An image/icon/logo/face (choice during install, the "root" user avatar, or autogenerated) appear on right-bottom of the "asking password box" to certify the genuine origin asking for password. This give a quick visual reference if the popup asking for password is legitimate. of course: the avatar/image/icon/logo/face shouldn't be available for read for regular user: no screenshot of it (should be possible) or other way that will grant the "attacker" the chance to read read/copy that image.


The attacker had to guess what's the image to make show in it's fake gksu.

This is why I never set my machines to automatically update. Instead I have a script which emails me the results of:
sudo aptitude update >/dev/null && sudo aptitude -y -s full-upgradeevery day (amongst several over things) on all of my servers.

This way I can review all of my updates before I decide whether or not to install them.

EDIT - This is why on production servers you should only ever use official Ubuntu repos. This way you can be sure that the software has been vetted and approved by the Ubuntu devs. You should never install software from untrusted sources.

Welcome to recurring discussions.

I think your argument is circular, how would such an application get on the system ?

Like this (http://www.brainjar.com/dhtml/windows/demo.html), for example, or as a browser plugin, or as a binary blob. I mean, installing a binary blob is kind of silly, but if we know who made it (e.g. Google Earth) and we have a reasonable belief that it won't try to get root via a local exploit, then it poses a very low security risk, and many people will install it. In general, clueless users will follow instructions on some website in order to get something working and will be easily fooled into downloading and running code.

Because it is simply not true that the official repository can be our only source of all executable code, although it does already satisfy most needs of most users. Look, we all have our own special needs and we have to get software elsewhere. For example, my browser is Shiretoko and some of my free libs and programs are likewise locally built because I insist on having the latest version (I need them experimental features). Another concern is that most of us do want to be able to run sandboxed code. Why shouldn't we be able to see a dancing Jesus on the internet, if we can do so safely?

And since we cannot really say with a straight face that the official repository must be the only source, we should anticipate a significant portion of users running random stuff with their local privilege. I really think it will be happening (it is happening), and if only one user out of a thousand is clueless enough to follow directions on some hentai site, then botnets will have a very strong foothold, just like they do in the Windows world today.

Without a local exploit, all this crapware is trivial to purge, and things like AppArmor will work great at reducing the damage to the userland. But if it can trick a user (simulating a local exploit experience), then the system is fubar.

But every user can be educated to some (very low) degree. Every user can understand, for example, that they are safe as long as they don't su. I have the anecdotal evidence, too: I have at least 3 friends who switched to Ubuntu from Windows and/or OS X. They din't know what su is. The only time they elevate in Ubuntu is when they use Synaptic and Update Manager, and that is a tremendous testament to how usable Ubuntu has become for a newcomer. My point is, why do they have to su at all? The only safe way to su is when you know exactly what you are doing and why.