On Mon, 2003-04-28 at 13:03, alex wrote: > Assume that you log in to Gnome as a user, call up a > terminal and then do su or sudo. > > Does this give root access to Gnome or is root's > operation restricted to what it does in the > terminal while user can still operate in Gnome? > > My thinking is that since user doesn't have the > permissions that root has, user can't do as much > damage in Gnome that root could. So, by not logging > root in to Gnome (or KDE), root doesn't have the > opportunity to do any damage. > > This could be true only if when you do su or sudo in > terminal, root's authority is restricted to that > terminal while user can still use Gnome. > > Is this reasoning correct? > It is in the right direction, somewhat. Anything started as a particular user, usually runs as that user in terms of permissions (sometimes a program can change who it runs as - if it needs root privileges for specific tasks, it might have special permissions to run as root for those tasks, or if poorly written, insists on running as root across the board. Other programs switch themselves to be a specific non-human user - no root privileges, but access to a common database within the context of the program, for instance.) Unless directed otherwise, anything "spawned" from a program running as one user (such as a shell, or a GUI) similarly usually runs as that user, with the same permissions. If you open a shell and switch user to root in it (or use a shell that does that automagically,) anything run from that shell runs as root, unless otherwise changed. Anything not run from that shell runs as the user that the launching program/environment is set as. Personally, I have a trick to make sure that I can identify anything I run that has been spawned as root rather than as me - the Xresources, KDE interface, and Gnome settings for root are all set to have garishly obvious colours, so that I know that mistakes with those programs could be toxic. -- Mark L. Kahnt, FLMI/M, ALHC, HIA, AIAA, ACS, MHP ML Kahnt New Markets Consulting Tel: (613) 531-8684 / (613) 539-0935 Email: kahnt@hosehead.dyndns.org
Attachment:
signature.asc
Description: This is a digitally signed message part