Security manager bug (?)

[Bomyne]

Really hope this is a bug and not by design.

I just updated the WoWI modual and as far as I know, the security manager should have reappeared to let me know it had changed and to regrant permissions. It didn't.

[Tristanian]

I think it only fires when you install (not update) a module for the first time, but I could be wrong. Shirik can clarify once he is available

[Shirik]

This is by design.

For unsigned modules, the only real way to compare them is by name -- if it were replaced by something else, I wouldn't have a good way of knowing. Furthermore, I don't want to annoy the user every time the file has legitimately changed.

So, for unsigned modules, security permissions are granted to a bundle name. Signed modules (while as of yet unimplemented) will be granted to their name and it will be enforced that they are signed by the same certificate.

If anyone feels this isn't a valid approach, feel free to offer suggestions. Keep in mind usability is important.

[septor]

Is there anything in place to stop a module from playing nice at first to get permission and then change during an update to cause havoc?

[Shirik]

At any time, during an update or otherwise, if a module's permission requests change, the user will be notified and approval will be requested again.

I encourage anyone with sufficient experience to try to break through the security manager through whatever exploit vector you can find. If any issues are found, please report them so they can be sealed.

[Bomyne]

Personally, I believe that everytime a minion mod changes, it should revoke all security permissions and allow the user to regrant it.

Just an opinion through

[Shirik]

I'm not sure I agree.

It's not like you're granting a significant amount of permissions. You're saying specifically what folders and sites you trust. I don't see any good reason for someone whom would have trusted a module before to no longer trust it if the folders and sites it will be accessing haven't changed at all.

If we were talking about a native code permission here, it would be a different story, but I don't see any reason to trust access to a specific folder and then later go back on that trust.

[Elhana]

Technically having access to whole WoW folder would let addon read config.wtf file and send your wow login to it's author. It's not really an issue at all for me, but in WOWIvsWM thread there was a huge QQ about how reading that file would ruin people's privacy
I'll stick with oldschool opensource updater.
Enjoy.

[septor]

Originally Posted by Elhana Technically having access to whole WoW folder would let addon read config.wtf file and send your wow login to it's author. It's not really an issue at all for me, but in WOWIvsWM thread there was a huge QQ about how reading that file would ruin people's privacy I'll stick with oldschool opensource updater. Enjoy.

Technically it won't have access to your whole WoW folder unless you let it. The only place any type of addon updater needs access to is the Interface folder.

If a module is requesting access to the root WoW folder; deny it. I really believe this security manager was put in place for cases just like you described. If you're (not you personally) are foolish enough to grant permission to your crucial data; it's your own fault if that information gets sent back home.

[Elhana]

Originally Posted by septor If a module is requesting access to the root WoW folder; deny it.

WoWI minion module asks for WoW root permission

[septor]

Originally Posted by Elhana WoWI minion module asks for WoW root permission

Which counters my point exactly how?

[Zaydok]

I just wanted to chime in and say that I think the way it is setup now is fine. I think that so long as it asks for permission if and when new access is needed, that this is enough for me.

[Shirik]

Originally Posted by Elhana Technically having access to whole WoW folder would let addon read config.wtf file and send your wow login to it's author. It's not really an issue at all for me, but in WOWIvsWM thread there was a huge QQ about how reading that file would ruin people's privacy I'll stick with oldschool opensource updater. Enjoy.

Get your facts straight before you go crazy.

Your login information is not stored in your config.wtf folder. At the very most, it only stores your account name.

I must have access to the WTF folder, period. There are certain addons that install files there, and not having access there would not let such addons be installed. If you would like to propose a secure solution that would not impact these addons, I am all ears.

[Elhana]

Originally Posted by Shirik I must have access to the WTF folder, period. There are certain addons that install files there, and not having access there would not let such addons be installed. If you would like to propose a secure solution that would not impact these addons, I am all ears.

Request Interface/ and WTF/Account/ access?

[Vyper]

Originally Posted by Shirik Get your facts straight before you go crazy. Your login information is not stored in your config.wtf folder. At the very most, it only stores your account name. I must have access to the WTF folder, period. There are certain addons that install files there, and not having access there would not let such addons be installed. If you would like to propose a secure solution that would not impact these addons, I am all ears.

First of, lets be clear, I'm not accusing anyone of anything, just observing.

The concern about access to the config.wtf file is valid. If the username is stored in that file you could easily collect usernames *again not saying you are*. One of the basic practices of maintaining a secure system is to never give that kind of information away, even when the user has provided a correct username and a bad password, you never tell them the password was bad. You just say invalid username/password combination.

Why? Because with a list of valid accounts it is much, much easier to crack a system.

Consider: to perform a normal brute force attack on a system, I must guess a username, then guess a password. Usernames are almost as tough to guess as passwords (in fact many have more secure usernames than their passwords).

If on the other hand, I am first able to generate a list of valid users, I can just start going through the dictionary, trying each word against each of these valid accounts. I'm sure to find a lot of people with insecure passwords, and I can do it much faster than trying to guess valid usernames along side.

My immediate suggestion (if possible with the security manager you are using) would be to grant access to the folder, but NOT the file.

Originally Posted by Elhana Request Interface/ and WTF/Account/ access?

This would also probably work, but would be tougher as some have multiple accounts.

[Shirik]

Originally Posted by Vyper My immediate suggestion (if possible with the security manager you are using) would be to grant access to the folder, but NOT the file.

That would require a significant design change to the security manager, and would also result in a (probably significant) performance degradation as well.

I'll keep thinking about a way to change the permissions set, but I have to admit, it probably won't change. It's impossible for me to traverse the directory without permission, and I really don't like making assumptions about directory structures, even one that is well-known.

Despite this fact, it's going to boil down to what you approve. If you really don't trust a module, then why are you installing it in the first place? The security manager is meant as a final layer of protection, not a first line of defense. Fact of the matter is that even the most insecure modules will have to request permissions -- that's the idea behind it -- but if you give it access to C:\Windows then it's going to be able to wreak havoc (in reality this isn't true on many systems, but the idea is there). So if it's asking for something you don't trust, don't let it in (and tell the author of the module to fix permissions).

Based on the way this module is designed, I don't intend to change the permissions right now. Of course, I should hope that this module is a bit more trustworthy, considering you don't even know if I have some kind of backdoor floating around, or that the Minion core itself is watching your every move

[Vyper]

Originally Posted by Shirik That would require a significant design change to the security manager, and would also result in a (probably significant) performance degradation as well.

I thought it might, but it all depends on what your using ;-)

Originally Posted by Shirik I'll keep thinking about a way to change the permissions set, but I have to admit, it probably won't change. It's impossible for me to traverse the directory without permission, and I really don't like making assumptions about directory structures, even one that is well-known.

It's probably really not worth the effort. Really I was just responding to your earlier comment, which, at least to me, felt like you were saying "eh, that file doesn't contain passwords, so it doesn't matter who reads it". If I misinterpreted I apologize.

Originally Posted by Shirik Based on the way this module is designed, I don't intend to change the permissions right now. Of course, I should hope that this module is a bit more trustworthy, considering you don't even know if I have some kind of backdoor floating around, or that the Minion core itself is watching your every move

Well, maybe I do know. Remember, Java byte-code is a lot more reversible than some other choices ;-)

[septor]

I can't help but wonder how many people used updaters before this and didn't voice the concerns they are voicing now. Do you really think that just because an updater only asked for your AddOns directory it wasn't fishing into the WTF folder?

At least this way you _KNOW_ what you're allowing to happen. I am not saying I totally agree with the access a module may require, but that's why I have the ability to not allow it access.

[Shirik]

Originally Posted by Vyper Well, maybe I do know. Remember, Java byte-code is a lot more reversible than some other choices ;-)

You do realize you're talking to one of the two people that monitors incoming executable files at WoWInterface, right? I'm the one that disassembles them and determines their safety (and yes, I have found things others have missed, for example that one famous executable that waited 30 minutes before sending information off, avoiding detection by others -- I was the one that said "It may look safe, but something doesn't seem right about this code" ... and sure enough I was right )

In any case, while I might agree Java is fairly trivial to disassemble, I'm one that argues so is any other language. Do you really think you'll take the time and effort to go look into a module before installing it?

[Cairenn]

My view on it is pretty easy - Do you trust the site that you are getting the module for? Are you getting it from a reputable site (either their own site or here)? If the answer to both of those is "yes", then what's the problem? If the answer to either of them is "no", then why the hell are you downloading and installing it in the first place?

If you do a search for a module and see "WoWInterface Minion Module" on ihaxoru.com, it might not be the best place to get it from.

Only use modules from sites you trust. Only get modules from official sites. In three simple words: "Don't be dumb."