[MLUG] X clarification please

Sat Apr 30 22:14:43 EDT 2011

IMHO It is dangerous to / you can never assume none of the users are hostile
any userid can be an ingress, point did you read the hbgary story ?
http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars

It is easier to bolt the barn door than find the horse...
<http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars>
On Sat, Apr 30, 2011 at 9:44 PM, Yanik Doucet <yanikd at gmail.com> wrote:

> The way I see it, users shouldn't be able to use sudo system wide à la
> Ubuntu.  Having a customized sudoers config would be highly recommended.
>  There isn't that much tasks a user would want to do as root, aside from
> applying updates.  And I would configure it password-less too.  That way if
> a simple user gets compromised by some script on a webpage, script can't
> sniff the user's password.
>
> As for doing root tasks, the best practice would be to alt-f1 for example.
>  Anything done in a real TTY can't be sniffed as it's outside of X.
>
> I did try the simple example given in the link, and it actually sniffed
> when a key is pressed and when it is released.  But it only gives a key
> number and I just can't find the documentation with the keyboard keys
> mapping.  It's not ascii.  Any ideas?
>
>
>
> On Sat, Apr 30, 2011 at 8:01 PM, Jeremy <me at jeremychapman.info> wrote:
>
>> On 11-04-30 02:39 PM, Leslie S Satenstein wrote:
>>
>>> I understood that X was not designed with security in mind. I have this
>>> question, given a small environment of 3-4 users, all of which are
>>> locally attached.
>>>
>>> Is my use of root, given these users are all local on the system with
>>> Gnome, a risk if none of the users are hostile?
>>>
>>> If someone logs into the system with remote desktop, (not happening
>>> during the day), is he able to see all the keypresses, as outlined in
>>> the link I was referred to in the previous emails?
>>>
>>> If he/she has to be on the system, and go through the effort to capture
>>> my Gnome keystrokes, then what is the danger of a breech from remote
>>> logon (secure telnet via putty)? Just because a danger is possible from
>>> a local user only, what is the risk to using root under Gnome? Is the
>>> risk any less with Gnome3 or XFCE? The local user's are doing authoring
>>> of material and may from time to time, access Google or other search
>>> engine.
>>>
>>
>> I think it is easiest to say that elevating privileges is a better way to
>> do handle it. Give the program you want to run root privileges, not the
>> user.
>>
>> If you make a shortcut (application starter) and just put sudo (or gksudo)
>> before the command it will pop up a password prompt and just that process is
>> running with root privileges.
>>
>> A good trick as well is to use the sudoers file and specify programs users
>> should be allowed to run, and you can also specify that no password is
>> needed for certain users on certain programs.
>>
>> There just is no good reason to run as root, since all it takes is a sudo
>> call to get there. Plus no need to log out and log in again as root to do
>> things.
>>
>> I'll let someone else answer whether keystrokes can be captured and so on
>> ;)
>>
>> Jeremy
>> _______________________________________________
>> mlug mailing list
>> mlug at listserv.mlug.ca
>> https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
>>
>
>
> _______________________________________________
> mlug mailing list
> mlug at listserv.mlug.ca
> https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
>
>

-- 
___..___........__.......__
...|....|__/....|...|......|...|__|
...|....|.....\...|...|__..|...|....|

"You must be the change you wish to see in the world." Mohandas K Gandhi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/mlug-listserv.mlug.ca/attachments/20110430/b283e3eb/attachment-0001.htm>