Re: Is this why you shouldn't log in as root?

To: debian-user@lists.debian.org
Subject: Re: Is this why you shouldn't log in as root?
From: Kevin Buhr <buhr@telus.net>
Date: 29 Apr 2003 13:46:17 -0700
Message-id: <[🔎] 87n0i9yque.fsf@saurus.asaurus.invalid>
In-reply-to: <[🔎] 3EAD5EC7.2000608@ncia.net>
References: <[🔎] 3EAD5EC7.2000608@ncia.net>

alex <radsky@ncia.net> writes:
>
> Assume that you log in to Gnome as a user, call up a
> terminal and then do su or sudo.
> 
> Does this give root access to Gnome or is root's
> operation restricted to what it does in the
> terminal while user can still operate in Gnome?

That's the idea, as others have pointed out.  Assuming that no
malicious applications are running, whatever commands you run inside
that terminal window are run as "root", but other applications (both
existing and newly launched) and Gnome itself continue to run as the
logged-in user.  This is far safer than logging into Gnome as "root".

However, the X Window System (on top of which Gnome or KDE run) was
never designed to keep applications securely protected from each
other.  In general, if a malicious application is running (or if an
innocent application like a browser has been compromised because of a
security hole), that application can exert substantial control over
other applications, including the terminal window that's running as
"root".

For example, any X application can send events, including keypress
events, to other applications, like terminal windows.  These events
are flagged as being generated by other applications rather than by
real events, but many applications don't check.  "xterm" does by
default---if another application sends it key events, it ignores them
(unless you select "Allow SendEvents" in one of its popup menus).
However, Eterm and the Gnome Terminal program don't check.  Either one
can be fed key events by any other application, and it's just as if
the user is typing commands into the window.

Moreover, any X application can peek at another window's keyboard
events.  That is, any malicious application can sniff keyboard input,
including root passwords, from all other windows.  "xterm" has a
mechanism to prevent this attack.  In its "Main Options" popup menu,
right above "Allow SendEvents", there's a "Secure Keyboard" setting.
This will grab the keyboard, and no other application can get those
keyboard events until you deselect "Secure Keyboard" again.  As far as
I know, Eterm and Gnome Terminal can't secure the keyboard this way.

Even "xterm" can be tricked by a more complication malicious program,
though.

There's no general way around this problem that I know of.  Any
application that can access your X display (which usually means any
application that can read your ".Xauthority" file, has a surprising
degree of control over anything you do from your desktop.

The truly paranoid may wish to switch to a text-only virtual console
and log in as root from there.  The extremely paranoid may also wish
to read up on Linux's secure attention key support.  The unreasonably
paranoid may wish to only do system administration after a power-off
reboot to single-user mode using write-protected media.  The
pathologically paranoid may wish to sell their computers and live off
the land.

-- 
Kevin <buhr@telus.net>

Reply to:

References:
- Is this why you shouldn't log in as root?
  - From: alex <radsky@ncia.net>

Prev by Date: Re: vim broken: unstable / hppa
Next by Date: Re: escaping, bash
Previous by thread: Re: Is this why you shouldn't log in as root?
Next by thread: General jerkiness/pausing of system..
Index(es):
- Date
- Thread