Is it just me or does ubuntu ask for your password far too much, i have to enter it a few times every day, a minor inconvenience at first but then it becomes a daily habit that you don’t even think about, which leads onto security flaws “oh you want my password, whatever, just get doing your thing”.
When a user is accustomed to performing a task such as this over and over again a malicious program simply has to run itself with gksudo and the user will happily enter their password and give the program root privileges, especially if you combine the gksudo with a custom message by passing –message “your message” to it, such as this:
Of course this completely bypasses the whole “how does the malicious program get onto your system in the first place” thing, but through my dealings with support requests I can say that people will find random debs/programs on the Internet and they will find ways of running them thinking that everything will be fine.
Do we really need to ask for root privilages so much or is this simply an education on security issue? either way I have a feeling we are sleepwalking into problems down the line.
3 responses so far ↓
ubuntucat // May 28, 2008 at 3:09 pm
Education is always a security issue. If people can be victim to social engineering, it doesn’t matter how well the system’s security is constructed.
ignorante // May 28, 2008 at 3:21 pm
If you install a malicious deb you don’t need to ask for the password. The deb itself can run whatever it wants while it is being installed. It can disable services, replace them, and also do a simple rm -Rf /.
You don’t have to install some radom deb you find on the web, that is why there are repositories and digital signatures.
Dr Small // May 28, 2008 at 6:25 pm
Hey, cool screenshot!
But really, security should always be present in a users mind. Do not blindly install debs, compile or even run commands without verifying that what you will be doing does not cause harm.
Sudo does not bother me. It makes my life more secure, and simpler for me.