Closed GoogleCodeExporter closed 9 years ago
GoogleCodeExporter
commented
9 years ago Now that I look ALL of the data used for verification is located in the user's
home folder thus allowing the sensitivity, faces, and models to be operated on
at will by the user without needing root privileges. Thus allowing anyone who
sits at the logged on user to gain root access through manipulation of these
files. Original comment by nolansyk...@gmail.com on 8 Dec 2010 at 10:57
GoogleCodeExporter
commented
9 years ago Ah yes, One solution could be to add pam_face_authentication to run when
qt-facetrainer starts, even though you are already logged in as that user. You
can do that by adding a configuration file -/etc/pam.d/qt-facetrainerOriginal comment by rohan.a...@gmail.com on 8 Dec 2010 at 11:53
GoogleCodeExporter
commented
9 years ago I had root take ownership of ~/.pam-faceauthorization and
/usr/bin/qt-facetrainer without other being able to execute so I have to be
root to execute and it launches pam-faceauthorizarion so I am going to see how
well that works.Original comment by nolansyk...@gmail.com on 8 Dec 2010 at 11:57
GoogleCodeExporter
commented
9 years ago Meh.. works in a way, when I run it as root is saves the config files in the
root's home folder, so I just had to copy those into my home folder to get the
updated ones and now everything is locked down nicely.Original comment by nolansyk...@gmail.com on 9 Dec 2010 at 12:09
GoogleCodeExporter
commented
9 years ago Well, I dont think you understand how pfa works
qt-facetrainer - trains model for user which launched it.
And getting access to user account(leaving it unlocked) doesn't mean access to
root account. Original comment by rohan.a...@gmail.com on 9 Dec 2010 at 12:11
GoogleCodeExporter
commented
9 years ago If I have access to someone's account that is logged on and has this program
installed I can run sudo anything by either modifying the files in their home
folder or simply running the training program to train in my face.
I did this on my brothers computer, I locked him out entirely, changed all of
his passwords simply because I was able to run the face trainer and put my face
in and gain sudo privileges without ever being authorized.
Original comment by nolansyk...@gmail.com on 9 Dec 2010 at 12:21
GoogleCodeExporter
commented
9 years ago [deleted comment]when I type in sudo *anything* with this installed it uses the
pam-faceverification to see if I am authorized.
If I can, as a regular user, change what pam-faceverification uses to verify I
am root then anyone can sit at that regular user and put in their face and be
verified as root and do anything they want.
If I did not lock it down anyone on my user can run qt-facetrainer, put their
face in then type sudo passwd root put what ever password they want and
complete access to root.
Original comment by nolansyk...@gmail.com on 9 Dec 2010 at 12:37
GoogleCodeExporter
commented
9 years ago First, your brothers account is a root account, thats why you got sudo access.
Secondly, If you want you can add face authentication to qt-facetrainer by
adding a config file for it at /etc/pam.d thereby rejecting imposters.
Original comment by rohan.a...@gmail.com on 9 Dec 2010 at 1:47
Original issue reported on code.google.com by
nolansyk...@gmail.comon 8 Dec 2010 at 10:31