[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFC: it's so easy ...

On Fri, Sep 22, 2000 at 12:09:11AM +0200, Daniele Cruciani wrote:
> There was an interference, you have tuned in the right chanel what
> I was saying :)
> Something like MacOSX configurator would be cool and usable for Debian
> too.
> Also, as far the issue of running an X based program as root remain
> even if you su in terminal, such a solution is more sure than having
> an apt front-end that could not start at all if it can't open the lock
> file (i.e. if it isn't launched by root).

that is why things like gnome-apt should not run as root, they should
ask the root password and pass it to say su -c 'apt-get command foo
foo foo'

> Actually, gnome-apt is cool, but at this time lack on security; but
> gnome-apt is not alone for example logview is unusable, gpowertweak
> run only as root and one can probably find a lot of other example.

its bad design since any program running as root has to be audited for
security problems, and dragging the entire X libraries and whatever
toolkits into that is just a mess.  much better for the GUI program to
run as the user and use a small non-gui backend to take care of
authentication and privileged operations.  the password asking stuff
can be handled by something like ssh-askpass.  

the other advantage to using non X backends for the privileged stuff
is you completly avoid the entire Xauthority crap that normally
occurs when using su in X sessions.  (the other option being the evil
setuid bit on the GUI app.  /me shudders at the thought)

> I was not speaking about a global configurator, of course, but of a
> single program that require to be root for running under X, for
> example gnorpm is a problem in term of security, debian should not
> have such a problem

you misunderstand me, NO X stuff should be running as root, ever.
gnome-apt should run happily as an ordinary user without any suid
bits.  when it needs privilege it should put up a ssh-askpass style
dialog asking for the root password and pass that password on to a
NON-X backend program that authenticates and then performs the
privileged operations.  in many cases this could probably be as simple
as su -c 'foo' (though that might not be the best way to do it) 

but this horrible mentality of `just run it as root' MUST stop.  X
based GUI programs are just too big and use too many large unaudited
libraries to just be `run as root' if we start down this path where
many many [X based] programs are run as root or contain the suid bit,
we will quickly be in the same mess Microsoft is with a security hole
riddled OS.  this same mentality was the result of a great deal of
unix security problems of the past and unfortunatly is becoming a new
trend in the GUI application dept.

Ethan Benson

Attachment: pgpYF8hdt56jX.pgp
Description: PGP signature

Reply to: