gksudo potentially very insecure

[Eric Dunbar]

On 7/4/05, Ante Karamatić <ivoks at grad.hr> wrote:
> On Mon, 2005-07-04 at 18:30 +0200, Wouter Stomp wrote:
> 
> > The timeout setting is nice and handy, but I think it would be better
> > if you get asked for a password whenever you start a new program with
> > gksudo. The timout setting could still be useful when opening the same
> > program more than one time.
> 
> You have a good point about gksudo. But making gksudo to ask password
> every time is even worse then not asking.
> 
> Could it be possible to change color of the window? Or, even better,
> change the color of the 'window name bar'?

At the risk of raising the ire of Mac OS X haters ;-)

In Mac OS X GUI apps seem to gain admin privileges at two different times:
1. At the app's launch
or,
2. Whenever an operation is going to happen that requires root privs.

There doesn't appear to be a time-out associated with the granting of
admin privs if the app acquires admin privs at launch time. However,
if the app only gets admin privs when an operation requests them then
these privs are a one-time only deal.

Giving one app root privs does not give another app root privs through
a time-out mechansim (at least, not in my experience).

Now, I don't know how Apple achieves this but I do know that their
security model is also based on sudo (though, probably not gksudo ;-)
and I do not find it intrusive since. It's comforting to know that a
dangerous operation will be cancelled if the password is not entered.

Apps on Mac OS X may use Keychain in a special way that wouldn't be
amenable to Linux???

But, anyway, the point of my post is that typing a password is *not*
intrusive. IMNSHO it *is* a bad idea to automagically grant admin
privs to an app merely because it was launched during the gksudo
timeout window. I guess this issue will be debated ad nauseum for a
while to come (and, it better be b/c this type of security is
important :-).

Eric.