Why does X run as root?
Matt McCutchen
matt at mattmccutchen.net
Tue Aug 24 01:17:50 UTC 2010
On Mon, 2010-08-23 at 13:16 -0400, Matthew Miller wrote:
> On Fri, Aug 20, 2010 at 09:24:42PM +0200, Till Maas wrote:
> > > On Thu, Aug 19, 2010 at 06:49:33PM +0100, Matthew Garrett wrote:
> > > > > I think "run X as user Xorg if you're on KMS" would be a fine
> > > > > F15Feature to aim for. Ubuntu's been working on it too:
> > > > Of course, doing so just turns it from "Running code as X gives you
> > > > root" to "Running code as X gives you root the moment someone types in a
> > > > root password, even if they're on a different terminal". I accept that
> > > This sounds like yet another good argument for removing the need to ever
> > > type a root password.
> > How does this make it better? Then someone would spy on the user password of
> > someone with sudo capabilities.
>
> If sudo is configured to give root access with the user password with no
> further restrictions, you're right. But it opens the doors to other
> possibilities, like requiring kerberos or key- or cert-based authentication
> for login. I know it's not feasible for most end-user desktops, but here we
> use two-factor authentication tokens for administrative access.
More generally, the situation would be, "Running code as X lets you read
anything typed on any terminal". IMO, that's still pretty bad, and we
can hardly claim success in reducing the privileges of X without fixing
it. Users are going to be entering secrets of one kind or another on
the keyboard for the foreseeable future.
--
Matt
More information about the devel
mailing list