Re: Netscape running as root
On Tue, Dec 04, 2001 at 11:56:19PM -0600, Jor-el wrote:
> Hi,
>
> Why is running Netscape as root considered to be a security
> problem? I just tried installing vmware on my system and it needs root to
> install, and it searched for Netscape. The installer, fortunately, was an
> intelligent one and proceeded with the install after I cancelled its
> search for Netscape (it said the install help wouldnt be available without
> Netscape).
Well, it's stupid to surf as root, because there *might* be some uncovered
security holes in Netscape, and if you surf as root, any malicious things a
web-page abusing such a hole does, have the potential to do damage to the
whole machine, not only the user running it. In addition, you might revel
that a probable unix-machine is running at such and such IP, and there is
a root-user there. However, security by obscurity never was that effective,
so this is not that large a problem.
Running netscape as root to view some local html pages is not that much of
a security risk, but it depends whether or not you trust the source of the
web-pages.
> If it is something really stupid to run Netscape as root, I'd like
> to point out to VMWare that their requirement to have Netscape for the
> install is bad.
Depends how they did it. If it was to render local web-pages, it can be
forgiven.
--
- Vegard Engen, member of the first RFC1149 implementation team.
Reply to: