Re: Admin programs and password
Re: Admin programs and password
- Subject: Re: Admin programs and password
- From: Brian Hill <email@hidden>
- Date: Tue, 7 Aug 2001 10:21:05 -0500
On Tuesday, August 7, 2001, at 09:38 AM, Andre John Mas wrote:
I have noticed that a number of admin applications ask for a
admin user/password before doing any work. Is the dialogue
shown provided by the system or by the application, in other
words does the application ask for the password, or does it
delegate this task to the system who then provides a session
authorization key?
I ask this because I worrying about a potential security issues
if it is indeed the application that handles the user/password.
If the application is using the standard Security framework, it
delegates the task to the OS and gets an authorization key. However,
this wouldn't prevent someone from making a 'fake' dialog that looks
just like the system's authorization panel (ie., the classic definition
of a Trojan Horse). Even if a program uses the system's authorization
panel, a malicious program could still use the access it acquires to
install a rootkit.
Any application that needs a user/password should be investigated fully
before you enter your password into it. There are many valid reasons why
admin access may be needed (and in fact, several of my own programs need
it), but you should think before you enter your password into anything
other than the OS login window. This is a standard rule of thumb on any
Unix-like multi-user system.
Brian
email@hidden
http://personalpages.tds.net/~brian_hill
___________________________________________________________
"Why? I came into this game for adventure - go anywhere, travel
light, get in, get out, wherever there's trouble, a man alone.
Now they've got the whole country sectioned off and you can't
move without a form. I'm the last of a breed."
-- Archibald "Harry" Tuttle, Rogue HVAC Repairman
___________________________________________________________