Re: clock riddle

[Gregory Maxwell <gmaxwell gmail com>]

On Mon, Feb 23, 2009 at 5:30 PM, Chris Adams <cmadams hiwaay net> wrote:
> Once upon a time, Michal Jaegermann <michal harddata com> said:
>> On Mon, Feb 23, 2009 at 05:10:41PM -0430, Patrick O'Callaghan wrote:
>> > Why don't you simply state what you're talking about instead of asking
>> > riddles?
>>
>> I stated:  "Anybody with a desktop session can mess with a system
>> clock at will.  No root password or anything of that sort required".
>> I was curious if other people think that this is as serious as I know
>> it is.
>
> You've left it as a riddle as to how it would be done, as nobody else
> can reproduce what you claim.  Without concrete details, you'll get
> quicksand responses.

Easily reproduced it here on a fresh F10 install where the user
account had never been subjected to the root password:

Right click the gnome clock applet, adjust date & time. It asks for a
password, the *user* password satisfies it. I never would have caught
this: My time is always set via NTP, and if I ever accidentally
clicked my way to that dialog I would have assumed that it wanted the
root password.

This shouldn't have been sent to this list: It should have been filed
as a confidential bug, it's CERT announcement material.  I guess its
too late now.

A non-privileged "kick NTP" command is probably acceptable. An
adjustment of the per-user TZ variable is completely safe. A
non-privileged change-system-timezone *might* be safe, but that is
still a major change in the Unix security model so determining the
safety would take extensive analysis and discussion. It would probably
be better to transition to a model where the system timezone was
always UTC, and applications heeded a per-user timezone.

…but allowing regular users to simply adjust the time arbitrarily is
an absolute security disaster.