:: Re: [DNG] why is polkit needed? dro…
トップ ページ
このメッセージを削除
このメッセージに返信
著者: Tito
日付:  
To: dng
題目: Re: [DNG] why is polkit needed? dropin replacement


On 2/23/20 4:22 PM, Aitor wrote:
> Hi Tito,
>
> On 23/2/20 14:15, Tito via Dng wrote:
>> On 2/23/20 1:54 PM, Aitor wrote:
>>> Hi,
>>>
>>> On 23/2/20 13:17, Aitor wrote:
>>>> The binary won't be suid, but rather it'll receive the root password through the mentioned unix socket using internally (sudo | su) afterwards.
>>>
>>> As simple as that:
>>>
>>> system( "echo <password> | sudo -S <application_name>");
>>>
>>> I tested my first draft and it works. Do it simple, isn't it?
>>>
>>> Aitor.
>>>
>> Hi,
>>
>> this looks dangerous, isn't the password readable unencrypted in e.g. /proc?
>> You should never send an unencrypted password over a shell or pipe.
>> Usually the password as soon as it is inputted is encrypted with the correct cipher
>> for the system and the buffer is zeroed, then the encrypted password is compared
>> to what is in /etc/shadow or /etc/password or handled in the way is deemed fit.
>> I suggest you to handle the passwords and the command and args to be run in your program
>> This way:
>> 1) password stays unencrypted for the shortest time
>> 2) you have control and you can vet the env, program and args that are run.
>>
>> Hope this helps.
>>
>> Ciao,
>> Tito
>
> Thanks for the info, i know... Some people ripped me to shreds in the IRC channel some years ago, when i started working on the backend of simple-netaid.
>
> This is only for testing the first part of the project. I have two ideas for the second part:
>
> - To have a look at the code of ssh-askpass, suggested by Didier Krin, whose dialog frame is useful only for X11 and not for wayland.


Hi,

i would use a simple gtk window with a gtkentry (Gtk2 GTK3 compatible) + 2 buttons (cancel, ok)
that way it will be the gtk backend to care about X11 or wayland (i suppose...):

"put into “password mode” using gtk_entry_set_visibility(). In this mode, entered text is displayed using
a “invisible” character. By default, GTK+ picks the best invisible character that is available in the current
font, but it can be changed with gtk_entry_set_invisible_char(). Since 2.16, GTK+ displays a warning when Caps
Lock or input methods might interfere with entering text in a password entry.
The warning can be turned off with the “caps-lock-warning” property."

"Note that you probably want to set “input-purpose” to GTK_INPUT_PURPOSE_PASSWORD or GTK_INPUT_PURPOSE_PIN
to inform input methods about the purpose of this entry, in addition to setting visibility to FALSE."

On hitting Enter or the OK button this returns a gchar string (typdef of char)
that could be fed to:

    encrypted = pw_encrypt(plaintext, /*salt:*/ pw_pass, 1);
    r = (strcmp(encrypted, pw_pass) == 0);
    free(encrypted);
    nuke_str(plaintext);
    return r;


To see a good example take a look at: busybox/libbb/correct_password.c
This is widely used code and most pitfalls are already handled.


>
> - To emulate keypress events in C code afterwards, according to the received password.


Looks as overcomplex to me but I'm not a guru....
>
> On the other hand, what do you think about the suid receiving the password through the socket, staying the file descriptor for the shortest time? I assume it encrypted.


Why use 2 binaries rather than one, more programs, more code, more communication in between them equals to more attack surface.
I would stay with just one suid binary, more so if you want to go the su-only route.
After having taken a look at the sudo source code I think it is by far more complex than simple su, I personally
would avoid it at all, but this could be added later after having got right the simpler su-only case.
I will see if I'm able to cobble toghether a working example code just for the fun and to refresh
my C coding skills.

Just my 2 cents.

Ciao,
Tito

>
> Thanks in advance,
>
> Aitor.
>
>
>
> _______________________________________________
> Dng mailing list
> Dng@???
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
>