Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for December 5, 2013
Deadline scheduling: coming soon?
LWN.net Weekly Edition for November 27, 2013
ACPI for ARM?
LWN.net Weekly Edition for November 21, 2013
So, is there a way, when I sit on a computer, to know that I'm entering my password in XDM and not in some other program a malicious user ran?
GNOME 3.4 released
Posted Mar 29, 2012 15:43 UTC (Thu) by cortana (subscriber, #24596)
Posted Mar 29, 2012 15:52 UTC (Thu) by dgm (subscriber, #49227)
Well, let's go bit by bit.
1. Ctrl-Alt-Del is only a relatively safe. The code that handles it is secure only because it belongs to the Windows kernel, but it resides in a file on the filesystem, and in memory addressable by code running in ring-0. So any exploit that gives you write permissions for that file, or ability to run ring-0 code (install a driver) can allow you to subvert it. Unfortunately there's a TON of such exploits, so I guess this only serves to prevent wannabe hackers and pranksters.
2. Is your login the only password you type on your computer? I bet not. What about all those? Depending on the software you use and web sites you vist it can be a considerable number of passwords entered. And probably those include the ones a malicious program would really be interested in, actually.
3. And yes, there is: configure your XDM so that it looks different from the default. Don't forget to mark the configuration files to be only readable by root.
Posted Mar 29, 2012 16:48 UTC (Thu) by abo (subscriber, #77288)
Posted Mar 29, 2012 21:46 UTC (Thu) by blujay (guest, #39961)
I hate having to press Ctrl+Alt+Del to log in. It's an awkward, two-handed chord, and Windows uses it as a crutch because of its inferior security model. Sure, if Linux had such a system from the kernel up through X, it'd be a tiny bit more secure--but with the fundamentally more secure model, and by using trusted binary repositories, I don't think it's necessary. Besides, what are you going to do, press Ctrl+Alt+Del every time you have to type your password? Ugh!
BTW, SELinux on Ubuntu works quite well with Firefox. I can't vouch for how well it stops exploits, but it's there, and is kept up-to-date by Ubuntu.
Posted Apr 7, 2012 6:09 UTC (Sat) by abo (subscriber, #77288)
Posted Mar 30, 2012 1:49 UTC (Fri) by cortana (subscriber, #24596)
Posted Mar 29, 2012 16:31 UTC (Thu) by Pawlerson (guest, #74136)
This sort of condescending attitude isn't very productive, is it? Just because Windows is less secure than Linux overall, doesn't mean we can't learn a lesson or two from it.
Posted Apr 5, 2012 12:21 UTC (Thu) by elanthis (guest, #6227)
You absolutely do not know me, in the least. You have never met me, never had a conversation with me, and couldn't guess my motivations or beliefs to save your life.
That said, there's no FUD here. Windows is more secure in that it offers user-facing security features that Linux never has. There's absolutely no argument here. Sure, maybe Windows -- offering tons of features and subsystems that the Linux desktop does not -- has more lines of code and hence more places for mistakes to be made is truth, but that's entirely different than the _design_ of Windows being one focusing on desktop security, where as Linux focuses on ancient POSIX-compatible time-shared system security.
On the desktop, security is not "user A cannot negatively affect user B." On the desktop, security is "user A accessed something that could find a hole in random application he's using, but that still shouldn't negatively affect user A."
Linux has almost no solution here, besides adding SELinux (only even used on one major-ish distro) and some weak sand-boxing. Windows has numerous features that help to ensure that even if the sand-boxing mechanisms (which, according to more than a few places, are more complete and secure on Windows than on Linux) are broken, the conscientious user still has means to do a basic sanity test of the screen he's staring at.
Yes, the Windows mechanisms can be hacked by modifying Windows, but then the same can be said about Linux. I've seen root-kit'd Linux systems. They're a thing. Maybe you're not aware.
But hey, claim you know me, say that basic facts are "FUD," and then try to discredit me. That's the kind of response reasonable people expect out of folks who make emotional -- rather than logical -- attachments to technology, and isn't doing "your side" (which I'd say I'm on; I don't post here just to make fun of people, but rather to point out the dumb things that the Linux community could be doing better with) any favors. :(
Posted Apr 5, 2012 16:33 UTC (Thu) by khim (subscriber, #9252)
That said, there's no FUD here.
Oh, but there is. Right here:
Windows is more secure in that it offers user-facing security features that Linux never has.
Security can not be measured by counting features. In fact often additional features make security worse, not better. Windows ACL model is quite powerful and convenient, but I'm not sure it offers better security. It's complexity is it's worst enemy. When I try to remove SYSTEM-owned file in FAR from Administrator account it explains to me that it can not be done. Unless I'll give permission agree to “try harder” - then it repeats with DEBUG permissions and file is gone. That's not security, that's snake oil.
That's entirely different than the _design_ of Windows being one focusing on desktop security.
Windows is designed for convenience, not for security. Sure, Windows NT was designed with some good security ideas in mind, but when it become obvious that they hurt performance and usability most of them were abandoned and subverted.
Only after huge outcry when totally insecure design of Windows XP (let's not even talk about Windows 9X, ok) created plethora of malware Microsoft started adding features which can provide real security on desktop. Some of them are genuinely useful, some are more of snake oil.
Linux has almost no solution here, besides adding SELinux (only even used on one major-ish distro) and some weak sand-boxing.
Actually seccomp sandboxing can be quite robust, but hard to use. There are interesting development in this direction under Linux which makes it more useful.
But hey, claim you know me, say that basic facts are "FUD," and then try to discredit me.
FUD education 101:
Basic fact: in Windows you can do X, Y and Z, in Linux it's impossible.
FUD: Windows is super-hyper (according to more than a few places), Linux is meh (according to more than a few places).
Where are your facts?
Here is an example of your “fact”:
On Linux, there's basically no way to be sure that the screen you're looking at is really your desktop or admin panel or whatever and not some other malware that injected itself via the a hole in the non-sandboxed Firefox processes Linux users are still primarily using as their Web browsers.
First of all it mixes the issues (Chrome uses pretty robust sandbox on Linux), then it includes true statement (yes, Windows's Ctrl-Alt-Del is pretty robust protection against some kinds of attacks) but omits an important detail (in Windows Vista and above you don't need to press Ctrl-Alt-Del before you'll be asked to enter Admin's password).
The sad truth is that Ctrl-Alt-Del was useful security feature in Windows NT 3.1, but over time Microsoft worked long and hard to make it less and less useful. Today Microsoft have trained users to enter password after screen “flash” instead of doing it after Ctrl-Alt-Del. Which turned Ctrl-Alt-Del from genuine protection to snake oil security.
This “fact” is FUD, plain and simple. Good, high-quality FUD (it includes genuinely true statements and lies mostly by omission), yes, but it does not make it less FUDish.
Posted Apr 3, 2012 7:35 UTC (Tue) by lindi (subscriber, #53135)
If you just want to login securely then the best solution is to bind some key to just restart your display manager. My own prototype for this is
but the idea is simple: it is just a daemon that reads /dev/input/by-path/platform-i8042-serio-0-event-kbd so there is no way to inject a fake key press programmatically. I wrote this to test how to make a variant of sudo that would not expose my password to all X clients:
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds