On Tue, Jun 20, 2023 at 10:17 PM <pa...@quillandmouse.com> wrote: > > On Tue, 20 Jun 2023 17:03:24 -0400 > Greg Wooledge <g...@wooledge.org> wrote: > [...] > > In a sensible design, the GUI part would run as you, and it would send > > requests to a daemon that runs as root, or simply issue shell commands > > with "sudo" or something, to do the parts that need extra privs. > > I infer that Synaptic, by requiring root privileges to be truly useful, > is mis-designed, since there isn't a daemon executing root level > commands in the background.
I think the design could be improved since it is not following the Principle of Least Privilege. An out-of-process privileged component would probably be a better design choice. I think it could also be done with a shared object injection [attack?]. It is a mitigation that operates a little lower in the stack. API calls that required privileges could be intercepted, and marshalled to a process to perform the privileged operations. It has the benefit that it does not require modifying the application. Microsoft does a lot of interception under the name Hotpatching. Microsoft even provides the Detours library to let userland programs do it themselves. Ubuntu does it under the name Livepatch. In the Microsoft case, API entry points have a dummy jump that can be overwritten. If a new DLL or shared object is released, then the library is loaded into the app's address space, and the jump happens to the new code. And as Anssi points out, the program could be modified to use Policy Kit or whatever the du jour is for this iteration of the distro release. Jeff
