On Tue, Jan 09, 2007 at 06:17:31PM EST, cga2000 wrote: > On Tue, Jan 09, 2007 at 03:21:05PM EST, Casey T. Deccio wrote: > > On Tue, 2007-01-09 at 14:50 -0500, cga2000 wrote: > > > > Please investigate sudo and sux. If used properly, they are more secure > > > > and certainly more standard than your hack. > > > > > > Done..! :-) > > > > > > Now, please explain how I can use sudo to tranfer X credentials .. > > > > > > > sudo does not transfer X credentials like sux does. It works because it > > does not (by default) modify your environment, so $HOME still evaluates > > to the home of the user running sudo. xauth looks for the Xauthority > > file in $HOME/.Xauthority. Likewise, the DISPLAY variable is not > > modified. > > Pardon my ignorance .. I do my best to stay away from gui apps .. > > And I don't use sudo either. > > Mind you, I have thought about it and I have come with the conclusion > that it is just not worth the trouble setting up sudo in a desktop > context. > > I'll stick with plain /bin/su. > > .. Incidentally, your comments helped me figure out that if I ever > fancied running a gui app as root .. all I have to do is: > > $ /bin/su > > .. rather than: > > $ /bin/su - > > Among other things this keeps the environment variables unmodified and > as such, leaves X credentials untouched. > > .. known about the "-" thing for ages .. but where this xauth thing is > concerned somehow .. it never clicked .. > > :-) > > > > Also, I'm curious as to what makes sux "more secure". > > > > sux has additional options to limit what is being transferred to the > > root (or other) user. For example, the cookies may be transferred as > > "untrusted" (see man xauth) or not transferred at all. See man sux for > > further options. > > Of course I took a look at the "sux" man page.. and of course there are > "other options" .. and probably more magic in the baffling xauth > universe .. even stuff that's not covered by the sux script.. > > :-) > > But (as far as I can tell) .. > > I would have thought that manually entering a shell script's content at > the prompt .. is not likely to be less "secure" than running the script > itself .. ¿ > > Just gives you a bit more time to reflect upon what you are doing. > > I guess I'm just being bloody-minded and suggesting to Roberto that > there _cannot_ be anything "secure" -- and hopefully not "standard" > either .. about a script that makes it easier to indulge in practices > that are unsafe in the first place. > > :-) > > As Paul J. -- I think -- indicated in another post .. either the gui app > has been designed (and tested .. audited .. etc.) to run in privileged > mode (and in this case it should take care of escalating your privileges > when necessary and ask you for the root password if relevant) .. or it > has not. > > If it has NOT been designed to run privileged, then there is NO reason > that I can think of why you should EVER want to escalate your privileges > -- except possibly when testing something .. such as when you need to > verify a hunch that a given application does not work correctly because > you do not have proper access to a resource .. > > > Regards, > > Casey Deccio > > Thanks for you explanations .. > > -- > On Tue, Jan 09, 2007 at 02:34:08PM EST, Paul Johnson wrote: > > cga2000 wrote: > > > > > On Sun, Jan 07, 2007 at 09:22:38PM EST, Roberto C. Sanchez wrote: > > >> On Mon, Jan 08, 2007 at 03:19:56AM +0100, Danesh Daroui wrote: > > >> > Actually I had tried it before and I couldn't. It is cool since Debian > > >> > increases security like this, but I modified login settings in login > > >> > page to allow "root" to login and now it works. > > >> > > > >> I will reiterate the sentiments that some others have expressed. This > > >> is a very bad idea. There is nothing that absolutely requires that you > > >> login as root. Between su and sudo, you are able to do anything > > >> requiring elevated privileges. > > > > > > Quick hack from a bash prompt: > > > > > > $ /bin/su - /* switch to root */ > > > > > > # export DISPLAY=:0.0 /* let root access */ > > > # export XAUTHORITY=~yourid/.Xauthority /* .. your display */ > > > > > > # guiapp & /* start application */ > > > > If you want to do all this in a single command, and you have sudo installed, > > try this: > > > > sudo guiapp & > > > > You might have to fg it if it pops a password prompt, then Ctrl-Z and bg 1 > > to background it again. > > Thanks, Paul .. but I'll stick to /bin/su .. > > As mentioned above .. sudo does not make much sense in a desktop context. > > Thanks to this mailing list ... I grow wiser by the day. > > cga
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
