Linked by Thom Holwerda on Mon 11th Sep 2006 17:56 UTC
Windows A few days ago we reported on the fact that applications which have administrative rights in Vista (given by the user, of course) can disable User Account Protection altogether. This was seen as a security flaw; Ars, however, begs to differ: "When UAC is disabled, Vista gripes loudly about it. The Windows Security Center immediately notes that UAC has been turned off, and it prompts you to turn it back on using a system tray notification. From our own testing, it appears impossible to disable UAC without the Security Center noticing it, which makes it rather unlikely that a user is end up in a less secure state."
Thread beginning with comment 161358
To read all comments associated with this story, please click here.
Well...
by PJBonoVox on Mon 11th Sep 2006 18:35 UTC
PJBonoVox
Member since:
2006-08-14

I posted yesterday that an application (Windows or Linux) could ask for the root password. Say in KDE surely it could create a 'kdesu' like box telling you it needs administrative privileges. Then it uses the provided password to do something as root.

If this is possible, and I'm sure it is, what is stopping Linux from being 'owned' the same way that the Vista hating article from yesterday said Vista could?

Understand-- I use Linux and Windows and I like them both, but this article just got me thinking.

Edited 2006-09-11 18:36

Reply Score: 5

RE: Well...
by sbenitezb on Mon 11th Sep 2006 18:53 in reply to "Well..."
sbenitezb Member since:
2005-07-22

"If this is possible, and I'm sure it is, what is stopping Linux from being 'owned' the same way that the Vista hating article from yesterday said Vista could?"

I can guarantee non of my Kubuntu installed-from-repos applications owned my system. There's this confidence because these applications are open source and maintained by a well known group of developers.

You cannot be so sure about that in the Windows world. You could end downloading a trojan.

Reply Parent Score: 2

RE[2]: Well...
by PowerMacX on Mon 11th Sep 2006 19:00 in reply to "RE: Well..."
PowerMacX Member since:
2005-11-06

I can guarantee non of my Kubuntu installed-from-repos applications owned my system. There's this confidence because these applications are open source and maintained by a well known group of developers.

You cannot be so sure about that in the Windows world. You could end downloading a trojan.


Do you personally check every line of code?
Otherwise...
http://www.osnews.com/story.php?news_id=15170

(Still safer than downloading random stuff in a Windows box of course ;) )

Reply Parent Score: 5

RE: Well...
by bob8 on Mon 11th Sep 2006 18:59 in reply to "Well..."
bob8 Member since:
2006-07-13

"If this is possible, and I'm sure it is, what is stopping Linux from being 'owned' the same way that the Vista hating article from yesterday said Vista could?"

The fact that it's trivial to turn off UAC completely in Windows. In Linux it is much harder and on a properly configured system it cannot be done.

Reply Parent Score: 1

RE[2]: Well...
by evad on Mon 11th Sep 2006 19:23 in reply to "RE: Well..."
evad Member since:
2005-09-10

GNU/Linux doesn't have "UAC" so yes, you can't turn it off.



Or on.

Reply Parent Score: 2

RE: Well...
by ma_d on Mon 11th Sep 2006 19:37 in reply to "Well..."
ma_d Member since:
2005-06-29

I think that sudo doesn't allow any programmatic entering of the password into its terminal dialogs or its graphical dialogs. I can't confirm this because I don't have it setup to test, but I imagine that'd be a basic feature to make the system truly useful.

If anyone knows of a source on doing this I'd love to hear about it, I'm a little curious now.

Reply Parent Score: 1

RE[2]: Well...
by tomcat on Mon 11th Sep 2006 20:22 in reply to "RE: Well..."
tomcat Member since:
2006-01-06

Use a little imagination. A malicious app puts up a dialog to collect the username/password, user enters it, malicious program spawns sudo with cmdline of target process with elevated privileges, sudo puts up a login dialog, user thinks that he/she mistyped the password in the original dialog and enters it again, sudo'd process does whatever it wants. Game over. You're owned.

Reply Parent Score: 4

RE[2]: Well...
by WorknMan on Mon 11th Sep 2006 20:00 in reply to "Well..."
WorknMan Member since:
2005-11-13

I can guarantee non of my Kubuntu installed-from-repos applications owned my system. There's this confidence because these applications are open source and maintained by a well known group of developers.

You cannot be so sure about that in the Windows world. You could end downloading a trojan.


I see a lot of people saying that since most users run without root access, malware on Linux couldn't do as much damage as it could on a Windows system. However, when someone points out a senario where this may not be the case (such as the above), the standard response is 'Well, most Linux apps are open source anyway, so you don't have to worry about it.' This seems to me like sort of backwards logic. Either it is vunerable or it is not. If it is, then somebody will eventually exploit it.

BTW: I think it should be possible to turn off UAC in Vista, but make it not-so-obvious so that only power users (or people looking for the option) would actually find it.

Reply Parent Score: 5

RE[3]: Well...
by sbenitezb on Mon 11th Sep 2006 20:20 in reply to "RE[2]: Well..."
sbenitezb Member since:
2005-07-22

"I see a lot of people saying that since most users run without root access, malware on Linux couldn't do as much damage as it could on a Windows system. However, when someone points out a senario where this may not be the case (such as the above), the standard response is 'Well, most Linux apps are open source anyway, so you don't have to worry about it.' This seems to me like sort of backwards logic. Either it is vunerable or it is not. If it is, then somebody will eventually exploit it."

There is no secure method to prevent an application from opening a sudo dialog to get your password to own your system. But that application needs your credentials to temporarily change to root. It's not a vulnerability, it's how things works. You may have the most secure safe in the world, but if you trust the thief into your home and give him the password you are done. It's your mistake.

Trust is everything here. You cannot trust closed source applications. Most of internet downloadable applications are, by nature, not to be trusted. You make the final decission. When I download from a trusted repository, I'm inherently trusting the packager and the developers. Mostly because the project is open source and auditable. If you download from download.com, you are not certain that the programs don't contain any trojan or spyware. In a lot of circumstances, they do. I'm using Linux since 1996, and I yet have to be infected with some spyware or trojan or virus or, you name it.

Reply Parent Score: 5

RE[4]: Well...
by WorknMan on Wed 13th Sep 2006 02:09 in reply to "RE[2]: Well..."
WorknMan Member since:
2005-11-13

If you download from download.com, you are not certain that the programs don't contain any trojan or spyware. In a lot of circumstances, they do.

Are you sure about that?
http://cnet.custhelp.com/cgi-bin/cnet.cfg/php/enduser/std_adp.php?p...

Reply Parent Score: 1

RE: Well...
by ValiantSoul on Tue 12th Sep 2006 01:27 in reply to "Well..."
ValiantSoul Member since:
2005-07-20

Typically the linux user is a little smarter than the Windows user. For example if you try to fire up a game, a linux user will be suspicious if it asks for root password. If a Windows user was in the same situation, they would probably quickly enter their password in order to play the game.

Reply Parent Score: 2

RE[2]: Well...
by jessta on Tue 12th Sep 2006 14:43 in reply to "Well..."
jessta Member since:
2005-08-17

No one can design a system that will protect a user from themselves.
With great power comes great responsibility.
Idiots will be owned until the end of time.

Reply Parent Score: 1