Sometimes, I notice a notification icon indicating pending updates, or just the update manager pops up, asking to download some updates. Then, when I want to go through with it, I'm asked for my password. At this point, how do I know that the icon and the window I'm interacting with are indeed coming from the genuine update manager and not some rogue process visually imitating it to obtain my password? Note that this is a general question that goes beyond just the update manager. What's the easiest way to verify the source of a window?
Asked
Active
Viewed 279 times
2 Answers
2
You can always check the /var/log/auth.log. Each request for authentication will go into the log. Here's for example, an entry from when i manually opened the update manager and canceled when the popup asked for updates:
Sep 30 00:07:13 eagle pkexec[17815]: xieerqi: Executing command [USER=root] [TTY=unknown] [CWD=/home/xieerqi] [COMMAND=/usr/lib/update-notifier/package-system-locked]
And this is manually running apt-get:
Sep 30 00:10:24 eagle sudo: xieerqi : 1 incorrect password attempt ; TTY=pts/6 ; PWD=/home/xieerqi ; USER=root ; COMMAND=/usr/bin/apt-get update
As you can see, the COMMAND field tells you what app requested root privilege. From there, you can inspect the integrity of that executable file by scanning it clamav or similar tools. If you're really worried about that executable being compromised, check it's SHA sum, for instance,
sha1sum /usr/bin/apt-get
If it's changed somehow, you will see different output of sha1sum.
Finally, remember to practice good security over all - strong passwords and no remote access to your system(unless you really need it).
Sergiy Kolodyazhnyy
- 105,154
- 20
- 279
- 497
0
I think the best way to verify the source of window would be to use a solution similar to Tell a process PID by it's window?.
This will give you what process that window is coming from. You could then go and verify the identity of the process to guarantee that it isn't coming from a rogue program. Something like https://superuser.com/questions/632979/if-i-know-the-pid-number-of-a-process-how-can-i-get-its-name
