On running gui applications as root
Ian Malone
ibmalone at gmail.com
Thu Nov 19 16:18:25 UTC 2015
On 19 November 2015 at 15:31, Adam Jackson <ajax at redhat.com> wrote:
> On Wed, 2015-11-18 at 21:45 +0000, Ian Malone wrote:
>
>> Not really getting this. For any configuration task where you replace
>> editing a root owned text file with access through some authorised
>> gui, that gui is still vulnerable.
>
> That gui's code, unlike emacs, doesn't allow you to write arbitrary
> data to arbitrary files. I can feed arbitrary input events to an emacs
> window and have it modify any file the process could modify. It's a
> lot harder to get, say, virt-manager to write arbitrary data to
> arbitrary places.
>
Harder, but you still have the permissions that the application has,
whatever route it may be using to modify those files. Emacs (for
example) while you are using it does not just access arbitrary files
under normal operation unless instructed, an attacker needs to subvert
it somehow. There are differences of course, but if an application has
rights that allow it access to things then someone taking control of
it can access them too.
--
imalone
http://ibmalone.blogspot.co.uk
More information about the devel
mailing list