Isn't Ubuntu's system prompt for my password spoofable?

Question

Sometimes, Ubuntu shows the following window:

This window can be caused by some background processes running, such as an automatic update, or a process which reports bugs to Canonical which manifests itself this way:

Since those are background processes, the first window is not shown in response to an action I performed myself, in a situation where I was expecting the system to ask me for the password. This means that:

• From the perspective of the user, there is no guarantee that the prompt comes from the operating system; it could be any malicious program which had only a limited permission to show a window, and which, by prompting for my password, will gain unlimited access to the entire machine.

• By prompting the user for a password regularly, the system teaches the user that giving his system password whenever some application asks for it is a perfectly natural thing to do.

My questions are:

• Is there any safety mechanism in Linux in general or Ubuntu specifically that prevents any application from displaying a dialog which looks identical to the system one, asking me for my password?

• How should such windows be designed to increase the safety of the user? Why not implement a system similar to Windows' Ctrl+Alt+Del on logon?

Answer 1

Your points are all good, and you are correct, but before we get outraged about it we need to remind ourselves how the linux security model works and what it's designed to protect.

Remember that the Linux security model is designed with a multi-user terminal-only or SSH server in mind. Windows is designed with an end-user workstation in mind (but I've heard that the recent generation of Windows is more terminal-friendly). In particular, Linux convention does a better job of sandboxing apps into users, while in Windows anything important runs as System, while the Linux GUI (X Server) sucks at security, and the Windows GUI has fancy things like UAC built-in. Basically, Linux is (and always has been) a server first and a workstation second, while Windows is the other way around.

---

Security Models

As far as "the OS" (ie the kernel) is concerned, you have 7 tty consoles and any number of SSH connections (aka "login sessions") - it just so happens that ubuntu ships with scripts to auto-start the GUI on the tty7 session, but to the kernel it's just another application.

Login sessions and user accounts are sandboxed quite nicely from each other, but Linux takes a security mindset that you don't need to protect a user from them-self. In this security model, if your account gets compromised by malware then it's a lost cause, but we still want to isolate it from other accounts to protect the system as a whole.

For example, Linux apps tend to create a low-privilege user like apache or ftp that they run as when not needing to do rooty things. If an attacker manages to take control of a running apache process, it can muck up other apache processes, but will have troubles jumping to ftp processes.

Note that Windows takes a fundamentally different approach here, largely through the convention that all important things run as System all the time. A malicious service in Linux has less scope to do bad things than a malicious process running as System, so Windows needs to go to extra efforts to protect someone with admin rights from "them-self".

GUI environments and an X Server that was not designed for security throw a wrench into this security model.

---

Gnome gksudo vs Windows UAC, and keyloggers

In Windows, when a user-process requests privilege escalation, the kernel throws up a special protected prompt whose memory and keyboard / mouse bus is isolated from the rest of the rest of the desktop environment. It can do this because the GUI is built-in to the OS. In Linux, the GUI (X server) is just another application, and therefore the password prompts belong to the process that invoked them, running as you, sharing memory permissions and an input bus with every other window and process running as you.

The root prompt can't do the fancy UAC things Iike lock the keyboard because those either need to be root already, or require totally re-designing the X server (see Wayland below). A catch-22 that in this case is a downside of separating the GUI from the kernel. But at least it's in keeping with the Linux security model.

If we were to revise the security model to clamp down on this by adding sandboxing between password prompts and other processes running as the user in the same GUI session, we could have to re-write a great many things. At the least, the kernel would need to become GUI aware such that it is capable of creating prompts (not true today). The other go-to example is that all processes in a GUI session share a keyboard bus.

Watch me write a keylogger and then press some keys in a different window:

➜  ~ xinput list  
⎡ Virtual core pointer                      id=2    [master pointer (3)]
⎜   ↳ Virtual core XTEST pointer            id=4    [slave  pointer  (2)]
⎜   ↳ Logitech K400 Plus                    id=9    [slave  pointer  (2)]
⎜   ↳ ETPS/2 Elantech Touchpad              id=13   [slave  pointer  (2)]
➜  ~ xinput test 9
key release 36 
key press   44 
hkey release 44 
key press   40 
ekey release 40 
key press   33 
lkey release 33 
key press   33 
lkey press   39 
okey release 33 
key release 39 
key press   66 
key press   31

Any process running as you can sniff the password in another process's prompt or terminal and then call sudo on itself (this follows directly from the "no need to protect you from you" mindset), so increasing the security of the password prompts is useless unless we fundamentally change the security model and do a massive re-write of all sorts of things.

(it's worth noting that Gnome appears to at least sandbox the keyboard bus on the lock screen and new sessions through "Switch Users" as things typed there do not show up in my session's keyboard bus)

---

Wayland

Wayland is a new protocol that aims to replace X11. It locks down client applications so that they cannot steal information or affect anything outside of their window. The only way the clients can communicate with each other outside of exterior IPC is by going through the compositor which controls all of them. This doesn't fix the underlying problem however, and simply shifts the need for trust to the compositor.

---

Virtualization and Containers

If you work with cloud technologies, you're probably jumping up and down saying "Docker is the answer!!". Indeed, brownie points for you. While Docker itself is not really intended to enhance security (thanks @SvenSlootweg), it does point to using containerization and / or virtualization as a forward that's compatible with the current Linux architecture.

Two notable linux distributions that are built with inter-process isolation in mind:

Qubes OS that runs user-level apps inside multiple VMs separated into "security domains" such as work, banking, web browsing.

Android that installs and runs each app as a separate low-privilege user, thus gaining process-level isolation and file-system isolation (each app is confined to its own home directory) between apps.

---

Bottom Line: From the perspective of an end-user, it's not unreasonable to expect Linux to behave the same way as Windows, but this is one of those cases where you need to understand a bit about how the underlying system works and why it was designed that way. Simply changing the implementation of the password prompts will not accomplish anything so long as it is owned by a process owned by you. For Linux to get the same security behaviours as Windows in the context of a single-user GUI workstation would require significant re-design of the OS, so it's unlikely to happen, but things like Docker may provide a way forward in a more Linux-native way.

In this case, the important difference is that Linux is designed at the low level to be a multi-user server and they make the decision not to protect a user from them-self, while Windows is designed to be a single-user workstation, so you do need to have inter-process protections within a login session. It's also relevant that in Windows the GUI is part of the OS, while in Linux the GUI is just another user-level application.

Answer 2

Is there any safety mechanism in Linux in general or Ubuntu specifically which prevents any application from displaying a dialog which looks identical to the system's one, asking me for my password?

Quick answer: No.

From the perspective of the user, there is no guarantee that the prompt comes from the operating system; it could be any malicious program which had only a limited permission to show a window, and by prompting for my password, will gain unlimited access to the entire machine.

If a malicious program is on the computer, it doesn't even matter what program is showing the dialog.
If it is the malicious program, well, as described in the next sentence, it doesn't even need to show you a dialog. If it is a legit program, the malicious program can "watch" the window and what you're typing there, in X server environments (the terminal is better).

Solution?

If you have reason to believe some program isn't trustworthy, sandboxing (VM or lesser things).

Else, not asking for passwords. That dialog is convenience for non-technical users. If you're concerned for security, or an organizations admin or similar, there's absoluetly no need to ever display a GUI password query. Configure the permissions of non-root user accounts properly (yes or no, but not asking), and do not use a desktop as root (because of that, and because it is an temptation to use root more often than necessary).

By prompting the user for password regularly, the system teaches the user that giving his system password whenever some application asks for it is a perfectly natural thing to do.

As described, just don't ask them. As admin, "your" users are supposed to have clearly defined permissions.

And, about auto updates as organization admin: Are you insane :) Seriously, don't let many Ubuntu clients update randon things at random times. How about central images that are maintained and tested by you and then rolled out; or in the other direction things like Ansible?
Completely independent of security, updates may break things. That's why.

Answer 3

Yes. This is insecure!

I personally always Cancel that dialog. Not because it could be fake, but because it could be real.

I am supposed to give escalated privileges to "an application" just because it asks? No, I don't think so.

System updates are fine, I do those manually, but it annoys me that the error reporting system requires this. Bad design.

Answer 4

Contrary to what you feel, the (modern) Windows and Ubuntu ways of handling privilege levels and privilege elevation are fairly similar. The reason is surely that the operating systems are both multi-user systems with similar use cases which face similar problems.

Both operating systems restrict what an ordinary user can do (by running programs, of course). A user can destroy their own data but ideally not other people's (unless they shared it), and ideally cannot compromise or damage the system. In order to read and write system data a program needs administrator (root) privileges on both operating systems, which ordinarily only programs started by the admin/root have.

In order to make that simple, both operating systems provide the default user with the ability to run single programs with "elevated privileges" through sudo respectively UAC. Both operating system GUIs fire up a dialog in order to give the user a chance to prevent programs from running as administrator/root. Both systems also have the notion of users who are not allowed to run privileged programs at all.

The Ubuntu dialog asks for a password; the Windows UAC dialog doesn't. (You seem to think that a program needs special permissions to show that dialog; that is not the case. The program is asking for them with the dialog. If someone fakes the dialog they get your (user) password which is no gain for a program running already as that user.)

The bottom line of all this is that a malicious program can pretend that it needs elevated privileges for something useful and fire up the dialog, but once it has obtained them, format the hard drive.¹ That is true for both operating systems. Because under Windows typically more third party software gets installed the chance to hit such a program is probably higher than for Ubuntu.

You mention that in Windows the UAC dialog usually is the result of a user action, for example installing a program, while Ubuntu fires the dialog up without apparent reason. One reason I can think of is that Windows software updates are initiated by the OS so that they have elevated privileges already. Maybe Ubuntu asks before installing.

It would indeed be nice to have more information than just "I need you passport, your boots and your jacket." I have no Ubuntu system at hand here, but I see a "Details" caption on the left side of the dialog. Did you look what is says? (Of course a malicious program could fake any text there, but you may be able to check whether the alleged program is indeed running.)

---

¹Which would not be that terrible, compared to actually overwriting data.

Answer 5

The most secure way to make sure your password isn't been snooped is to use the SAK sequence: alt-sysrq-k. This will kill all programs on the current VT (including X11) and init will give you a fresh login prompt. The only attacks I'm aware of involve either changing the kernel keymap or compromising init itself, both of which require root-or-better access already.

There are various slightly-less-complete ways (XTerm has way to access X11's "exclusive input" option), depending on how much of your system you trust, but ... why shouldn't you be able to trust your system?

The major difference between the Linux and Windows security models is that under Linux, you don't just download random executables from the Internet and run them. (There are some efforts to package untrusted Linux applications in an Android-like package sandbox, but nobody uses them.)

Answer 6

Horrible, horrible lack of security. When I saw the design of graphical sudo I bit the bullet and did sudo passwd root followed by apt-get remove sudo, then I really annoyed the ubuntu IRC folks by advocating uninstalling sudo.

Yet still the understand, this is utterly insecure. It was kinda ok on the terminal (more so when shells were weaker it was relatively unknown and attacks against it hadn't really developed) but is a glaring weakpoint now.

I will rather start a second X instance as root now for the less than once a year I have to give a graphical program root. (I do this by starting X :1 directly not by running startx so nothing but the target application is running in root's X instance). If you need root more often I advise apt-get install ssh and ssh -X root@localhost.