Bug#474024: gksu: locking mouse/keyboard not enough to protect against keylogging

Timo Lindfors timo.lindfors at iki.fi
Wed Apr 2 19:53:41 UTC 2008 

Package: gksu
Version: 2.0.0-1
Severity: wishlist

This is a wishlist bug: I wish 'man gksu' would be improved to warn
about the issue.

Description of the problem:

man gksu mentions that gksu can "lock" keyboard, mouse and focus
before it asks for a password. This can easily give the misconception
that other programs running with the privileges of the user could not
capture the password. For example wikipedia claims

  "If either gksudo's "lock" feature or UAC's Secure Desktop were
   compromised or disabled, malicious applications could gain
   administrator privileges by using keystroke logging to record the
   administrator's password;"

http://en.wikipedia.org/wiki/Comparison_of_privilege_authorization_features

This claim is untrue since a malicious application running with the
privileges of the user can run

strace -p `pidof gksu` -s 4096 -o strace.out

and later recover the password (here "test1234") from strace.out:

...
write(13, "test1234\0", 9)              = 9
write(13, "\n", 1)                      = 1
read(13, "\r\n", 255)                   = 2
read(13, "su: Authentication failure\r\nSorry.\r\n", 255) = 36
...


-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-5-686-bigmem
Locale: LANG=C, LC_CTYPE=fi_FI (charmap=ISO-8859-1)

Versions of packages gksu depends on:
ii  gnome-keyring          0.6.0-3           GNOME keyring services (daemon and
ii  libatk1.0-0            1.12.4-3          The ATK accessibility toolkit
ii  libc6                  2.3.6.ds1-13etch5 GNU C Library: Shared libraries
ii  libcairo2              1.2.4-4           The Cairo 2D vector graphics libra
ii  libfontconfig1         2.4.2-1.2         generic font configuration library
ii  libgconf2-4            2.16.1-1          GNOME configuration database syste
ii  libgksu2-0             2.0.3-7           library providing su and sudo func
ii  libglib2.0-0           2.12.4-2          The GLib library of C routines
ii  libgnome-keyring0      0.6.0-3           GNOME keyring services library
ii  libgtk2.0-0            2.8.20-7          The GTK+ graphical user interface 
ii  liborbit2              1:2.14.3-0.2      libraries for ORBit2 - a CORBA ORB
ii  libpango1.0-0          1.14.8-5          Layout and rendering of internatio
ii  libstartup-notificatio 0.8-2             library for program launch feedbac
ii  libx11-6               2:1.0.3-7         X11 client-side library
ii  libxcursor1            1.1.7-4           X cursor management library
ii  libxext6               1:1.0.1-2         X11 miscellaneous extension librar
ii  libxfixes3             1:4.0.1-5         X11 miscellaneous 'fixes' extensio
ii  libxi6                 1:1.0.1-4         X11 Input extension library
ii  libxinerama1           1:1.0.1-4.1       X11 Xinerama extension library
ii  libxrandr2             2:1.1.0.2-5       X11 RandR extension library
ii  libxrender1            1:0.9.1-3         X Rendering Extension client libra
ii  sudo                   1.6.8p12-4        Provide limited super user privile

gksu recommends no packages.

-- no debconf information

More information about the pkg-gnome-maintainers mailing list