[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Root privilege (SOLVED)



On Tue, Jan 09, 2007 at 06:17:31PM EST, cga2000 wrote:
> On Tue, Jan 09, 2007 at 03:21:05PM EST, Casey T. Deccio wrote:
> > On Tue, 2007-01-09 at 14:50 -0500, cga2000 wrote: 
> > > > Please investigate sudo and sux.  If used properly, they are more secure
> > > > and certainly more standard than your hack.
> > > 
> > > Done..!  :-)
> > > 
> > > Now, please explain how I can use sudo to tranfer X credentials .. 
> > > 
> > 
> > sudo does not transfer X credentials like sux does.  It works because it
> > does not (by default) modify your environment, so $HOME still evaluates
> > to the home of the user running sudo.  xauth looks for the Xauthority
> > file in $HOME/.Xauthority.  Likewise, the DISPLAY variable is not
> > modified.
> 
> Pardon my ignorance .. I do my best to stay away from gui apps .. 
> 
> And I don't use sudo either.
> 
> Mind you, I have thought about it and I have come with the conclusion
> that it is just not worth the trouble setting up sudo in a desktop
> context. 
> 
> I'll stick with plain /bin/su.
> 
> .. Incidentally, your comments helped me figure out that if I ever
> fancied running a gui app as root ..  all I have to do is: 
> 
> $ /bin/su
> 
> .. rather than:
> 
> $ /bin/su -
> 
> Among other things this keeps the environment variables unmodified and
> as such, leaves X credentials untouched.
> 
> .. known about the "-" thing for ages .. but where this xauth thing is
> concerned somehow .. it never clicked ..
> 
> :-)
> 
> > > Also, I'm curious as to what makes sux "more secure".
> > 
> > sux has additional options to limit what is being transferred to the
> > root (or other) user.  For example, the cookies may be transferred as
> > "untrusted" (see man xauth) or not transferred at all.  See man sux for
> > further options.
> 
> Of course I took a look at the "sux" man page.. and of course there are
> "other options" .. and probably more magic in the baffling xauth
> universe .. even stuff that's not covered by the sux script..
> 
> :-)
> 
> But (as far as I can tell) .. 
> 
> I would have thought that manually entering a shell script's content at
> the prompt .. is not likely to be less "secure" than running the script
> itself .. ¿
> 
> Just gives you a bit more time to reflect upon what you are doing.
> 
> I guess I'm just being bloody-minded and suggesting to Roberto that
> there _cannot_ be anything "secure" -- and hopefully not "standard"
> either ..  about a script that makes it easier to indulge in practices
> that are unsafe in the first place.
> 
> :-)
> 
> As Paul J. -- I think -- indicated in another post .. either the gui app
> has been designed (and tested .. audited .. etc.) to run in privileged
> mode (and in this case it should take care of escalating your privileges
> when necessary and ask you for the root password if relevant) .. or it
> has not.
> 
> If it has NOT been designed to run privileged, then there is NO reason
> that I can think of why you should EVER want to escalate your privileges
> -- except possibly when testing something .. such as when you need to
> verify a hunch that a given application does not work correctly because
> you do not have proper access to a resource .. 
> 
> > Regards,
> > Casey Deccio
> 
> Thanks for you explanations ..
> 
> -- 
> On Tue, Jan 09, 2007 at 02:34:08PM EST, Paul Johnson wrote:
> > cga2000 wrote:
> > 
> > > On Sun, Jan 07, 2007 at 09:22:38PM EST, Roberto C. Sanchez wrote:
> > >> On Mon, Jan 08, 2007 at 03:19:56AM +0100, Danesh Daroui wrote:
> > >> > Actually I had tried it before and I couldn't. It is cool since Debian
> > >> > increases security like this, but I modified login settings in login
> > >> > page to allow "root" to login and now it works.
> > >> > 
> > >> I will reiterate the sentiments that some others have expressed.  This
> > >> is a very bad idea.  There is nothing that absolutely requires that you
> > >> login as root.  Between su and sudo, you are able to do anything
> > >> requiring elevated privileges.
> > > 
> > > Quick hack from a bash prompt:
> > > 
> > > $ /bin/su -                                /* switch to root    */
> > > 
> > > # export DISPLAY=:0.0                      /* let root access   */
> > > # export XAUTHORITY=~yourid/.Xauthority      /* .. your display   */
> > > 
> > > # guiapp &                                 /* start application */
> > 
> > If you want to do all this in a single command, and you have sudo installed,
> > try this:
> > 
> > sudo guiapp &
> > 
> > You might have to fg it if it pops a password prompt, then Ctrl-Z and bg 1
> > to background it again.
> 
> Thanks, Paul .. but I'll stick to /bin/su ..
> 
> As mentioned above ..  sudo does not make much sense in a desktop context.
> 
> Thanks to this mailing list ... I grow wiser by the day.
> 
> cga



Reply to: