[MLUG] X clarification please

Yanik Doucet yanikd at gmail.com
Sat Apr 30 22:53:48 EDT 2011 

But my understanding was that we're talking PC here, not server.  Right?




On Sat, Apr 30, 2011 at 10:14 PM, Patricia Campbell <
triciamontreal at gmail.com> wrote:

> IMHO It is dangerous to / you can never assume none of the users are
> hostile any userid can be an ingress, point did you read the hbgary story ?
>
> http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars
>
> It is easier to bolt the barn door than find the horse...
>
> <http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars>
>  On Sat, Apr 30, 2011 at 9:44 PM, Yanik Doucet <yanikd at gmail.com> wrote:
>
>> The way I see it, users shouldn't be able to use sudo system wide à la
>> Ubuntu.  Having a customized sudoers config would be highly recommended.
>>  There isn't that much tasks a user would want to do as root, aside from
>> applying updates.  And I would configure it password-less too.  That way if
>> a simple user gets compromised by some script on a webpage, script can't
>> sniff the user's password.
>>
>> As for doing root tasks, the best practice would be to alt-f1 for example.
>>  Anything done in a real TTY can't be sniffed as it's outside of X.
>>
>> I did try the simple example given in the link, and it actually sniffed
>> when a key is pressed and when it is released.  But it only gives a key
>> number and I just can't find the documentation with the keyboard keys
>> mapping.  It's not ascii.  Any ideas?
>>
>>
>>
>> On Sat, Apr 30, 2011 at 8:01 PM, Jeremy <me at jeremychapman.info> wrote:
>>
>>> On 11-04-30 02:39 PM, Leslie S Satenstein wrote:
>>>
>>>> I understood that X was not designed with security in mind. I have this
>>>> question, given a small environment of 3-4 users, all of which are
>>>> locally attached.
>>>>
>>>> Is my use of root, given these users are all local on the system with
>>>> Gnome, a risk if none of the users are hostile?
>>>>
>>>> If someone logs into the system with remote desktop, (not happening
>>>> during the day), is he able to see all the keypresses, as outlined in
>>>> the link I was referred to in the previous emails?
>>>>
>>>> If he/she has to be on the system, and go through the effort to capture
>>>> my Gnome keystrokes, then what is the danger of a breech from remote
>>>> logon (secure telnet via putty)? Just because a danger is possible from
>>>> a local user only, what is the risk to using root under Gnome? Is the
>>>> risk any less with Gnome3 or XFCE? The local user's are doing authoring
>>>> of material and may from time to time, access Google or other search
>>>> engine.
>>>>
>>>
>>> I think it is easiest to say that elevating privileges is a better way to
>>> do handle it. Give the program you want to run root privileges, not the
>>> user.
>>>
>>> If you make a shortcut (application starter) and just put sudo (or
>>> gksudo) before the command it will pop up a password prompt and just that
>>> process is running with root privileges.
>>>
>>> A good trick as well is to use the sudoers file and specify programs
>>> users should be allowed to run, and you can also specify that no password is
>>> needed for certain users on certain programs.
>>>
>>> There just is no good reason to run as root, since all it takes is a sudo
>>> call to get there. Plus no need to log out and log in again as root to do
>>> things.
>>>
>>> I'll let someone else answer whether keystrokes can be captured and so on
>>> ;)
>>>
>>> Jeremy
>>> _______________________________________________
>>> mlug mailing list
>>> mlug at listserv.mlug.ca
>>> https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
>>>
>>
>>
>> _______________________________________________
>> mlug mailing list
>> mlug at listserv.mlug.ca
>> https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
>>
>>
>
>
> --
> ___..___........__.......__
> ...|....|__/....|...|......|...|__|
> ...|....|.....\...|...|__..|...|....|
>
> "You must be the change you wish to see in the world." Mohandas K Gandhi
>
> _______________________________________________
> mlug mailing list
> mlug at listserv.mlug.ca
> https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/mlug-listserv.mlug.ca/attachments/20110430/35045960/attachment.htm>

More information about the mlug mailing list