Maybe, but when you launch applications with root privileges on Debian, the dialogue will ask you for your root password and not your user password. That leads me to suspect this trick probably works on Debian too. My Debian partition has been in a state of bork for a few months so I can't test this exploit there.
Blag | As an Ubuntu Forums discussion grows longer, the probability of someone mentioning Arch Linux approaches 1.
I don't know about gksudo, but when I use kdesudo, the dialog that comes up tells me in bold what it's about to run with root privileges. e.g, if I run "kdesudo xterm", the dialog says
Obviously, this doesn't help if you don't read the dialog, but it's likely to catch your eye if the malware command is conspicuously named or given a full path (which it would need if it were in your home directory).Code:xterm requires administrative privileges to run. Please enter your password. command: xterm
I don't know if there's a fool proof way to make this secure without making the system extremely unfriendly, but it would be nice to have options for the more paranoid among us to turn off the menu overrides.
Note that you CAN disable execute for a partition, which if enabled for your home directory would make it impossible to execute a malware binary from anywhere the user could write to. It wouldn't stop sending a script to an interpreter, though (so gksudo bash /home/unfortunateuser/malwarescript.sh && synaptic would work).
But wouldn't it say "malware_exploit && synaptic" in the gui popup to ask for your password? It would be pretty obvious. In debian, using su, you have are required to enter your password each time you do something requiring root priveleges. Ubuntu iirc has sudo timeout, where actions within a certain time limit after the first time you entered the password, you don't need to renter the password again. You only need to do so again after the timeframe has expired.
That's very good. I vote that gksu(do) should adopt that as well. That would fix the problem. Good game.
No it isn't. It doesn't matter that root doesn't have a password in Ubuntu. Once you elevate privilege, whether through sudo or su, you can do anything you want. It doesn't matter. Any exploit in Ubuntu would be equally easy in Debian.
If it doesn't already, it should. Anyone with a GNOME bugzilla account should file a wish/bug.
Agreed. Debian would have gksu which could be used exactly the same way.No it isn't. It doesn't matter that root doesn't have a password in Ubuntu. Once you elevate privilege, whether through sudo or su, you can do anything you want. It doesn't matter. Any exploit in Ubuntu would be equally easy in Debian.
Can someone explain how this corrupt .desktop file got into the user's home directory in the first place?
Bookmarks