On Fri, Sep 22, 2000 at 12:09:11AM +0200, Daniele Cruciani wrote: > > There was an interference, you have tuned in the right chanel what > I was saying :) > Something like MacOSX configurator would be cool and usable for Debian > too. > > Also, as far the issue of running an X based program as root remain > even if you su in terminal, such a solution is more sure than having > an apt front-end that could not start at all if it can't open the lock > file (i.e. if it isn't launched by root). that is why things like gnome-apt should not run as root, they should ask the root password and pass it to say su -c 'apt-get command foo foo foo' > Actually, gnome-apt is cool, but at this time lack on security; but > gnome-apt is not alone for example logview is unusable, gpowertweak > run only as root and one can probably find a lot of other example. its bad design since any program running as root has to be audited for security problems, and dragging the entire X libraries and whatever toolkits into that is just a mess. much better for the GUI program to run as the user and use a small non-gui backend to take care of authentication and privileged operations. the password asking stuff can be handled by something like ssh-askpass. the other advantage to using non X backends for the privileged stuff is you completly avoid the entire Xauthority crap that normally occurs when using su in X sessions. (the other option being the evil setuid bit on the GUI app. /me shudders at the thought) > I was not speaking about a global configurator, of course, but of a > single program that require to be root for running under X, for > example gnorpm is a problem in term of security, debian should not > have such a problem you misunderstand me, NO X stuff should be running as root, ever. gnome-apt should run happily as an ordinary user without any suid bits. when it needs privilege it should put up a ssh-askpass style dialog asking for the root password and pass that password on to a NON-X backend program that authenticates and then performs the privileged operations. in many cases this could probably be as simple as su -c 'foo' (though that might not be the best way to do it) but this horrible mentality of `just run it as root' MUST stop. X based GUI programs are just too big and use too many large unaudited libraries to just be `run as root' if we start down this path where many many [X based] programs are run as root or contain the suid bit, we will quickly be in the same mess Microsoft is with a security hole riddled OS. this same mentality was the result of a great deal of unix security problems of the past and unfortunatly is becoming a new trend in the GUI application dept. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpYF8hdt56jX.pgp
Description: PGP signature