PolicyKit Proliferation is a Security Disaster in the making.

[Eric Rannaud]

On Thu, 2008-11-06 at 12:04 -0500, Daniel J Walsh wrote:
> Lets take a look at system-config-services.  This service comes up and
> prompts me for the root password before I start and stop a service. That
> is good, works just like it did when system-config-services used
> consolehelper.

Incidentally, a related problem with this is that as a user I have no
way of knowing which application generated that pop-up dialog asking for
my root password.

I may be wrong, but I don't believe there is any way whatsoever for the
user to tell reliably that the pop-up dialog is legitimate. If there is
a way to tell it is legitimate, it is not quite obvious enough.

The only clue I can have that I should indeed input my password is
timing. If I didn't do anything mandating a request for my root password
in the previous second, I'm unlikely to trust the pop-up. But this is
obviously a very weak security guarantee.

As an example scenario, I believe any user application can be notified
when the network connection goes up and down (through D-Bus?). Such a
connection related event is probably a good time for a rogue application
to display such a pop-up. (e.g. with the tendency of wireless connection
to go down unexpectedly at random times).

This is not a very smart scenario, I'm sure attackers would come up with
much more convincing ones, but that one would work at least on some
users some of the time.

Any arbitrary code execution vulnerability in a user space application
like Firefox has the potential of becoming a successful remote root
exploit, just because the user got fooled.

This weakness has been present for quite a while now, I would imagine
people have thought about it before. But it may be worth thinking about
it again, especially in light of the recent trend to ask for you root
password in new and unexpected way at odd times.

Regards,
Eric.