gabriel rosenkoetter on Thu, 18 Oct 2001 00:57:31 -0400


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] KMail from root


On Wed, Oct 17, 2001 at 11:54:17PM -0400, Paul wrote:
> Well, the most immediate effect is the ability to send mail to the PLUG list 
> without delay.

The same would be true if you logged in as yourself. Which is really
the appropriate thing to do. If you absolutely must have root access
at your fingertips, include something like this in whatever KDE's
version of .xsession (where I keep this) is:

  xterm -ls -T root -n root@`hostname` -bg rgb:33/00/00 -e su -m &

(The -bg flag distinguishes this xterm pretty distinctly from the
rest of mine, which happen to be grey.)

Make sure you use xautolock, xscreensaver, or an equivalent if you
do this. (Yes, yes, it's paranoid to do this in your home and if
anyone does break in they'll probably just make off with your
machine rather than trying to use access to your computer to do
something evil that doesn't involve physical burglary, but, on the
other hand, corporate espionage exists and it's a good idea, at
the least, to be in good habits.)

> Security-wise, "xhost + localhost" allows anyone logged into my system to 
> to use my display.

Not exactly. It allows anyone who can make your X server believe
that they are a process running on the local host use your display.
But someone popping windows up on your console is really the least
of the problems this leads to. Remember that the X server is running
as root and that, related to a not-yet-finished discussion about
video cards and linear memory access (which I am still coming back
to, but have to go grab some sources in order to), has what I, at
least, think is inappropriate access to your hardware in a *really*
dangerous, kernel-level kind of way.

If you think no one can make your X server believe that they are
from the localhost, then you really must tell me what you found when
you audited all of XF86. ;^>

I guess my general point here is that being a little bit careful is
really not that hard, solves easily and safely the problem you were
struggling to solve the hard and dangerous, and is generally good
Unix usage practice.

-- 
       ~ g r @ eclipsed.net

Attachment: pgpIlIKFZvQeK.pgp
Description: PGP signature