Security flaw revised

[GoogleCodeExporter]

My first report of this was immediately dismissed as invalid. I have since 
verified this issue and talked to quite a few people and they all agree this is 
a MAJOR flaw. I don't know if I properly explained the issue before.

What steps will reproduce the problem?
1. Person A logs on to user and walk away forgetting to lock user.
2. Person B sits down and runs qt-facetrainer (no root verification required)
3. Person B deletes your face an trains theirs in.
4. Person B now has total root access to computer, including changing root 
password.

I followed the installation instruction to the letter. qt-facetrainer can be 
run without root verification on my computer, thus allowing changing of the 
biometric data without verification.

Maybe moving the configuration files to a folder owned by root thus requiring 
sudo to modify would mitigate this.

Original issue reported on code.google.com by nolansyk...@gmail.com on 8 Dec 2010 at 10:31

[GoogleCodeExporter]

Now that I look ALL of the data used for verification is located in the user's 
home folder thus allowing the sensitivity, faces, and models to be operated on 
at will by the user without needing root privileges. Thus allowing anyone who 
sits at the logged on user to gain root access through manipulation of these 
files.  

Original comment by nolansyk...@gmail.com on 8 Dec 2010 at 10:57

[GoogleCodeExporter]

Ah yes, One solution could be to add pam_face_authentication to run when 
qt-facetrainer starts, even though you are already logged in as that user. You 
can do that by adding a configuration file -/etc/pam.d/qt-facetrainer

Original comment by rohan.a...@gmail.com on 8 Dec 2010 at 11:53

• Added labels: Type-Enhancement
• Removed labels: Type-Defect

[GoogleCodeExporter]

I had root take ownership of ~/.pam-faceauthorization and 
/usr/bin/qt-facetrainer without other being able to execute so I have to be 
root to execute and it launches pam-faceauthorizarion so I am going to see how 
well that works.

Original comment by nolansyk...@gmail.com on 8 Dec 2010 at 11:57

[GoogleCodeExporter]

Meh.. works in a way, when I run it as root is saves the config files in the 
root's home folder, so I just had to copy those into my home folder to get the 
updated ones and now everything is locked down nicely.

Original comment by nolansyk...@gmail.com on 9 Dec 2010 at 12:09

[GoogleCodeExporter]

Well, I dont think you understand how pfa works
qt-facetrainer - trains model for user which launched it.

And getting access to user account(leaving it unlocked) doesn't mean access to 
root account. 

Original comment by rohan.a...@gmail.com on 9 Dec 2010 at 12:11

• Added labels: i

[GoogleCodeExporter]

If I have access to someone's account that is logged on and has this program 
installed I can run sudo anything by either modifying the files in their home 
folder or simply running the training program to train in my face.

I did this on my brothers computer, I locked him out entirely, changed all of 
his passwords simply because I was able to run the face trainer and put my face 
in and gain sudo privileges without ever being authorized.

Original comment by nolansyk...@gmail.com on 9 Dec 2010 at 12:21

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

when I type in sudo *anything* with this installed it uses the 
pam-faceverification to see if I am authorized.

If I can, as a regular user, change what pam-faceverification uses to verify I 
am root then anyone can sit at that regular user and put in their face and be 
verified as root and do anything they want.

If I did not lock it down anyone on my user can run qt-facetrainer, put their 
face in then type sudo passwd root put what ever password they want and 
complete access to root.

Original comment by nolansyk...@gmail.com on 9 Dec 2010 at 12:37

[GoogleCodeExporter]

First, your brothers account is a root account, thats why you got sudo access. 
Secondly, If you want you can add face authentication to qt-facetrainer by 
adding a config file for it at /etc/pam.d thereby rejecting imposters.

Original comment by rohan.a...@gmail.com on 9 Dec 2010 at 1:47

• Changed state: WontFix