Root/admin escalation

[GoogleCodeExporter]

This product grooms users to be comfortable giving webapps root/admin 
privileges. With the history of social engineering, and exploitation through 
web apps this is irresponsible.

It also exposes users to potential compromise by third parties. If you can not 
accomplish the use of heimdall without root, then you should not be doing this 
through a web app.

Original issue reported on code.google.com by jc...@cunninglogic.com on 17 Jan 2014 at 6:26

[GoogleCodeExporter]

In an age where the same code runs on desktop, mobile, vm, and browser, whilst 
obtaining data inputs and application modules/updates from the Internet; Your 
actual issue appears to be with utilization of root.  The application 
distribution mechanisim is irrelevant.  The only difference betwen 
desktop/mobile and web browser is the number of hoops we, as developers, have 
to jump through.

However, root is not required by the application if UDev rules are set up. This 
is a desktop configuration issue stemming from lack of UDev rules.  We obtain 
root access on Linux via "gksu" or "Policy Kit" for the purpose of working 
around the issues in the platform Heimdall Installer.  

The same issue affects ADB useage on Linux as well and we will not fix it.   
Under several circumstances, ADB's server must be elevated in order to access 
the Linux device associated with the USB device connected.  This stems from a 
lack of a manufacturer provided installer for Linux.  Having spoken to several 
manufacturers about the issue, CASUAL already uses the manufacturer provided 
methods. 

To address the issue, we should be practicing "Lowest Priviliges" in order to 
allow the user to feel more secure.   

Benjamin, this Issue14 could be mostly resolved by modifications to UDev 
https://github.com/Benjamin-Dobell/Heimdall/blob/master/heimdall/60-heimdall.rul
es , once a device has been identified as requiring a UDev update, patched into 
60-heimdall.rules, and committed,  what is the ETA to repacking all of Linux 
https://bitbucket.org/benjamin_dobell/heimdall/downloads ?  

Original comment by adamoutler@gmail.com on 17 Jan 2014 at 2:20

• Changed state: PendingUpstream
• Added labels: ADB, Component-Logic, Heimdall, OpSys-Linux, Security

[GoogleCodeExporter]

As has been outlined, the Heimdall project does already include udev rules for 
precisely this reason. Obviously if devices are missing, then they need to be 
added.

Heimdall is an open-source project that has no commercial funding, as such I 
only have access to an extremely limited number of devices, the product IDs of 
which have been included. If there are IDs missing then someone will need to 
provide them to me; preferably by means of a Github issue (and/or pull request) 
on the Heimdall Github project.

Original comment by benjamin...@glassechidna.com.au on 17 Jan 2014 at 2:45

[GoogleCodeExporter]

Ben,
The issue is not heimdall, if it was I would have put the issue on your issue 
tracker. The issue is JOdin and grooming users to accept that java web apps may 
ask for admin/root.

Adam,
You are clueless, and because of this you can not be helped. O well, you 
invented bootloader hackers and the internet.

Original comment by jc...@cunninglogic.com on 17 Jan 2014 at 3:00

[GoogleCodeExporter]

You know, JCase,  I had prepared a well throught out response but I see that 
you are simply trolling or clueless, so I will now explain this to you.  When 
you visit my Jodin3 site, you are running a full-blown desktop application.  It 
is my option NOT to install my application and place a link in your start menu 
or on your desktop. It could be done easily with a simple boolean change to 
this file:
https://code.google.com/p/android-casual/source/browse/trunk/X/JOdin3/nbproject/
project.properties#64

I will not accept this behavior in my issue tracker though.  You claim you're 
doing this in the name of security, yet your own website is running Wordpress 
and has not had the software updated for more than a year, leaving several 
vulnerabilities open. 

We are practicing and utilizing the latest in web technology and security to 
bring an excellent user experience on our own website.  This is an exciting 
project.   If you wish to contribute, you may, but don't troll my Issue 
Tracker. 

Original comment by adamoutler@gmail.com on 17 Jan 2014 at 3:41

• Changed state: Trolling
• Removed labels: ADB, Component-Logic, Heimdall, OpSys-Linux, Priority-Medium, Security, Type-Defect

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Original comment by adamoutler@gmail.com on 17 Jan 2014 at 4:08

• Changed state: Duplicate