On 6/21/23 01:12, Jeffrey Walton wrote:
On Tue, Jun 20, 2023 at 10:17 PM <pa...@quillandmouse.com> wrote:
On Tue, 20 Jun 2023 17:03:24 -0400
Greg Wooledge <g...@wooledge.org> wrote:
[...]
In a sensible design, the GUI part would run as you, and it would send
requests to a daemon that runs as root, or simply issue shell commands
with "sudo" or something, to do the parts that need extra privs.
I infer that Synaptic, by requiring root privileges to be truly useful,
is mis-designed, since there isn't a daemon executing root level
commands in the background.
I think the design could be improved since it is not following the
Principle of Least Privilege. An out-of-process privileged component
would probably be a better design choice.
I think it could also be done with a shared object injection
[attack?]. It is a mitigation that operates a little lower in the
stack. API calls that required privileges could be intercepted, and
marshalled to a process to perform the privileged operations. It has
the benefit that it does not require modifying the application.
Microsoft does a lot of interception under the name Hotpatching.
Microsoft even provides the Detours library to let userland programs
do it themselves. Ubuntu does it under the name Livepatch. In the
Microsoft case, API entry points have a dummy jump that can be
overwritten. If a new DLL or shared object is released, then the
library is loaded into the app's address space, and the jump happens
to the new code.
And as Anssi points out, the program could be modified to use Policy
Kit or whatever the du jour is for this iteration of the distro
release.
Jeff
I'm running as root because that is the only login that works now.
policykit, I just checked after installing around 4gigs of stuff with
synaptic as root, under wayland, runs just fine. There is about 10
pieces of policykit stuff installed now. where is the config stuff?
I don't like t-bird running as root anymore than you do, but ATM its
all I have. If I su gene, I can't do anything, can't open display 0:0
as me. So I'll shut down and get some zz's.
.
