Re: Root privilege (SOLVED)
On Tue, Jan 09, 2007 at 06:17:31PM EST, cga2000 wrote:
> On Tue, Jan 09, 2007 at 03:21:05PM EST, Casey T. Deccio wrote:
> > On Tue, 2007-01-09 at 14:50 -0500, cga2000 wrote:
> > > > Please investigate sudo and sux. If used properly, they are more secure
> > > > and certainly more standard than your hack.
> > >
> > > Done..! :-)
> > >
> > > Now, please explain how I can use sudo to tranfer X credentials ..
> > >
> >
> > sudo does not transfer X credentials like sux does. It works because it
> > does not (by default) modify your environment, so $HOME still evaluates
> > to the home of the user running sudo. xauth looks for the Xauthority
> > file in $HOME/.Xauthority. Likewise, the DISPLAY variable is not
> > modified.
>
> Pardon my ignorance .. I do my best to stay away from gui apps ..
>
> And I don't use sudo either.
>
> Mind you, I have thought about it and I have come with the conclusion
> that it is just not worth the trouble setting up sudo in a desktop
> context.
>
> I'll stick with plain /bin/su.
>
> .. Incidentally, your comments helped me figure out that if I ever
> fancied running a gui app as root .. all I have to do is:
>
> $ /bin/su
>
> .. rather than:
>
> $ /bin/su -
>
> Among other things this keeps the environment variables unmodified and
> as such, leaves X credentials untouched.
>
> .. known about the "-" thing for ages .. but where this xauth thing is
> concerned somehow .. it never clicked ..
>
> :-)
>
> > > Also, I'm curious as to what makes sux "more secure".
> >
> > sux has additional options to limit what is being transferred to the
> > root (or other) user. For example, the cookies may be transferred as
> > "untrusted" (see man xauth) or not transferred at all. See man sux for
> > further options.
>
> Of course I took a look at the "sux" man page.. and of course there are
> "other options" .. and probably more magic in the baffling xauth
> universe .. even stuff that's not covered by the sux script..
>
> :-)
>
> But (as far as I can tell) ..
>
> I would have thought that manually entering a shell script's content at
> the prompt .. is not likely to be less "secure" than running the script
> itself .. ¿
>
> Just gives you a bit more time to reflect upon what you are doing.
>
> I guess I'm just being bloody-minded and suggesting to Roberto that
> there _cannot_ be anything "secure" -- and hopefully not "standard"
> either .. about a script that makes it easier to indulge in practices
> that are unsafe in the first place.
>
> :-)
>
> As Paul J. -- I think -- indicated in another post .. either the gui app
> has been designed (and tested .. audited .. etc.) to run in privileged
> mode (and in this case it should take care of escalating your privileges
> when necessary and ask you for the root password if relevant) .. or it
> has not.
>
> If it has NOT been designed to run privileged, then there is NO reason
> that I can think of why you should EVER want to escalate your privileges
> -- except possibly when testing something .. such as when you need to
> verify a hunch that a given application does not work correctly because
> you do not have proper access to a resource ..
>
> > Regards,
> > Casey Deccio
>
> Thanks for you explanations ..
>
> --
> On Tue, Jan 09, 2007 at 02:34:08PM EST, Paul Johnson wrote:
> > cga2000 wrote:
> >
> > > On Sun, Jan 07, 2007 at 09:22:38PM EST, Roberto C. Sanchez wrote:
> > >> On Mon, Jan 08, 2007 at 03:19:56AM +0100, Danesh Daroui wrote:
> > >> > Actually I had tried it before and I couldn't. It is cool since Debian
> > >> > increases security like this, but I modified login settings in login
> > >> > page to allow "root" to login and now it works.
> > >> >
> > >> I will reiterate the sentiments that some others have expressed. This
> > >> is a very bad idea. There is nothing that absolutely requires that you
> > >> login as root. Between su and sudo, you are able to do anything
> > >> requiring elevated privileges.
> > >
> > > Quick hack from a bash prompt:
> > >
> > > $ /bin/su - /* switch to root */
> > >
> > > # export DISPLAY=:0.0 /* let root access */
> > > # export XAUTHORITY=~yourid/.Xauthority /* .. your display */
> > >
> > > # guiapp & /* start application */
> >
> > If you want to do all this in a single command, and you have sudo installed,
> > try this:
> >
> > sudo guiapp &
> >
> > You might have to fg it if it pops a password prompt, then Ctrl-Z and bg 1
> > to background it again.
>
> Thanks, Paul .. but I'll stick to /bin/su ..
>
> As mentioned above .. sudo does not make much sense in a desktop context.
>
> Thanks to this mailing list ... I grow wiser by the day.
>
> cga
Reply to: