[MLUG] X clarification please

Yanik Doucet yanikd at gmail.com
Sat Apr 30 21:44:07 EDT 2011 

The way I see it, users shouldn't be able to use sudo system wide à la
Ubuntu.  Having a customized sudoers config would be highly recommended.
 There isn't that much tasks a user would want to do as root, aside from
applying updates.  And I would configure it password-less too.  That way if
a simple user gets compromised by some script on a webpage, script can't
sniff the user's password.

As for doing root tasks, the best practice would be to alt-f1 for example.
 Anything done in a real TTY can't be sniffed as it's outside of X.

I did try the simple example given in the link, and it actually sniffed when
a key is pressed and when it is released.  But it only gives a key number
and I just can't find the documentation with the keyboard keys mapping.
 It's not ascii.  Any ideas?



On Sat, Apr 30, 2011 at 8:01 PM, Jeremy <me at jeremychapman.info> wrote:

> On 11-04-30 02:39 PM, Leslie S Satenstein wrote:
>
>> I understood that X was not designed with security in mind. I have this
>> question, given a small environment of 3-4 users, all of which are
>> locally attached.
>>
>> Is my use of root, given these users are all local on the system with
>> Gnome, a risk if none of the users are hostile?
>>
>> If someone logs into the system with remote desktop, (not happening
>> during the day), is he able to see all the keypresses, as outlined in
>> the link I was referred to in the previous emails?
>>
>> If he/she has to be on the system, and go through the effort to capture
>> my Gnome keystrokes, then what is the danger of a breech from remote
>> logon (secure telnet via putty)? Just because a danger is possible from
>> a local user only, what is the risk to using root under Gnome? Is the
>> risk any less with Gnome3 or XFCE? The local user's are doing authoring
>> of material and may from time to time, access Google or other search
>> engine.
>>
>
> I think it is easiest to say that elevating privileges is a better way to
> do handle it. Give the program you want to run root privileges, not the
> user.
>
> If you make a shortcut (application starter) and just put sudo (or gksudo)
> before the command it will pop up a password prompt and just that process is
> running with root privileges.
>
> A good trick as well is to use the sudoers file and specify programs users
> should be allowed to run, and you can also specify that no password is
> needed for certain users on certain programs.
>
> There just is no good reason to run as root, since all it takes is a sudo
> call to get there. Plus no need to log out and log in again as root to do
> things.
>
> I'll let someone else answer whether keystrokes can be captured and so on
> ;)
>
> Jeremy
> _______________________________________________
> mlug mailing list
> mlug at listserv.mlug.ca
> https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/mlug-listserv.mlug.ca/attachments/20110430/6edb98ea/attachment.htm>

More information about the mlug mailing list