gksu does not warn about programs not in root's $PATH

Binary package hint: gksu

The gksu prompt is identical for running programs wherever they are located. This gives rise to an easy method of privilege escalation (albeit with an element of user interaction).

For example, an intruder with current user privileges could create the the folders ~/usr/sbin/, make a shell script called "synaptic" in that folder that installs a rootkit and launches the real synaptic, and finally edit ~/.local/share/applications/synaptic.desktop to change the Synaptic menu item from "gksu /usr/sbin/synaptic" to "gksu ./usr/sbin/synaptic".

Since the only change in the gksu prompt would be the addition of a single full stop, most people, I would guess, would not notice the difference (see attachment).

Of course, an attacker could do this to all programs that launch with gksu, to give a larger chance of the malicious script being run sooner. Part of the script (once it successfully runs) could be to reverse the changes to the menus to reduce chance of detection. So as long as the user doesn't notice the /usr directory in their home folder (and, frankly, most users' home folders are crammed full of junk put there by various applications -- I have about 120 folders in mine), the chances are this could all go undetected.

My suggestion would be to have the gksu prompt display a banner of some sort at the top of the prompt if the program being launched is not in root's $PATH (the user's $PATH wouldn't work, since an attacker with user privileges could just modify it), warning the user that the program they are elevating a non-system program. The exact wording isn't that important: the important thing is to make the prompt look different to the usual prompt, so a user who is used to seeing the normal prompt when launching synaptic would know that something's amiss.

Anyone looking for an example of how this might feel might like to compare the following elevation prompts from Another Operating System: http://snurl.com/sysprog, http://snurl.com/otherprog (albeit that's based on whether the running program is digitally signed by the OS manufacturer, rather than the path. Sadly Ubuntu executables aren't digitally signed, though there is a suggestion on https://wiki.ubuntu.com/ProactiveSecurity that they might be in future).