Re: root login
- To: Robert McQueen <robot101@debian.org>
- Cc: debian-gtk-gnome@lists.debian.org
- Subject: Re: root login
- From: Adam Lydick <adam.lydick@verizon.net>
- Date: 30 Apr 2003 12:16:08 -0700
- Message-id: <[🔎] 1051730169.28359.70.camel@lorien>
- In-reply-to: <20030430080013.GB29199@hadesian.co.uk>
- References: <1051280874.3ea945eac5fb1@mail.dominicanrepublic.com> <20030425164022.GC494@lazarus> <1051291323.3ea96ebb18853@mail.dominicanrepublic.com> <20030426043435.GF494@lazarus> <3EAAF3B3.1020303@ocf.berkeley.edu> <20030427025246.GB4889@lazarus> <b8jtq0$7um$1@main.gmane.org> <20030429041734.GH24149@lazarus> <3EAEC591.1090700@ocf.berkeley.edu> <20030430080013.GB29199@hadesian.co.uk>
While the argument that being forced to su to root is somehow less
secure then GDMing as root isn't great, your counter-argument is totally
broken.
Yes, your root-owned binaries are protected from modification by
programs running under your (non-root) user credentials.
However, this certainly doesn't mean that you are accessing su (or other
setuid binaries) in a secure fashion. If the attacker puts "export
PATH=~/.evilhackerpath:$PATH" in your path and that directory contains
su (or a trojan'd bash, ...) that logs your keystrokes you lose.
A clever attacker will pass through everything to the real su so that
you never know the difference.
If they don't do it through this means, they could (1) directly alter
the process image in memory of a trusted process (eg, your shell) to do
nasty things. (2) Add some creative LD_LIBRARY_PATH statements (or other
library effecting env vars) to load trojan (passthrough) versions of
standard libraries. (3) ...
The safe way to become root, if you think your normal user account may
be violated would be to log in via the console (or another root-owned
process). Any time you enter a process space under the control of an
attacker you can be compromised.
On another note: What the heck does anyone *do* as root that requires a
GUI?
Your point about why running as root on a multiuser system is bad is
quite right.
Cheers,
Adam
On Wed, 2003-04-30 at 01:00, Robert McQueen wrote:
> On Tue, Apr 29, 2003 at 11:33:53AM -0700, Michael Toomim wrote:
> > If a hacker gets access to your account, and then you su to root, he'll
> > sniff your password and get root access. Being a user who periodically
> > logs in as root is just as insecure as being a user who logs in as root.
> >
> > Except that in this case, it's actually LESS secure. Say a hacker gets
> > into my user account. If I were to login as root from GDM, the hacker
> > would still be trapped in my user account. But if I *can't* log in as
> > root from GDM, I'll be forced to su to root instead from my user
> > account, and the hacker will get my password (and consequently root access).
>
> This argument has the minor disadvantage of being completely wrong. If a
> hacker gets access to your user account, then the system utilities or
> kernel etc cannot have been changed to obtain your root password during
> the normal utilisation of your system. Your /bin/su or whatever is still
> owned by root and there's no way the hacker-as-a-user could modify it to
> log or yield you root password. THIS IS THE POINT OF USING YOUR COMPUTER
> AS A USER, AND HAVING ALL THIS STUFF OWNED BY ROOT! [1]
>
> Take the other point of view. What if you use root like your normal user
> account? The hacker gets access to this by the same means he gets access
> to your user account before (probably idiocy in this case?) and not only
> can he turn your HDD into a brick, destroy your data, he can also access
> the user accounts of all the people on your system, and tap all their
> passwords and keypresses for any other systems they use. Now which is
> less secure?
>
> Regards,
> Rob
Reply to: