Comments on: Never IRC as Root http://etbe.coker.com.au/2007/08/27/never-irc-as-root/ Linux, politics, and other interesting things Wed, 08 Feb 2012 17:45:05 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: dud3 http://etbe.coker.com.au/2007/08/27/never-irc-as-root/comment-page-1/#comment-12337 dud3 Thu, 21 Feb 2008 13:02:06 +0000 http://etbe.coker.com.au/2007/08/27/never-irc-as-root/#comment-12337 i don't know, the whole conservation sucks to me.. "not every linux also has a hacker init!" :-D dud3 i don’t know, the whole conservation sucks to me.. “not every linux also has a hacker init!” :-D

dud3

]]> By: etbe http://etbe.coker.com.au/2007/08/27/never-irc-as-root/comment-page-1/#comment-2903 etbe Mon, 27 Aug 2007 11:44:16 +0000 http://etbe.coker.com.au/2007/08/27/never-irc-as-root/#comment-2903 niq: konversation is a bad example. Unless you use xephyr there is no good way of restricting the access granted to an X client at the moment. Also a setuid program does not lose access to it's former UID, the setuid bit ADDs privileges and does not remove any. Some programs that are not designed to be setuid will recognise this situation and drop privs. I'll have to write a separate post about setuid programs. niq: konversation is a bad example. Unless you use xephyr there is no good way of restricting the access granted to an X client at the moment. Also a setuid program does not lose access to it’s former UID, the setuid bit ADDs privileges and does not remove any. Some programs that are not designed to be setuid will recognise this situation and drop privs.

I’ll have to write a separate post about setuid programs.

]]> By: niq http://etbe.coker.com.au/2007/08/27/never-irc-as-root/comment-page-1/#comment-2901 niq Mon, 27 Aug 2007 08:27:39 +0000 http://etbe.coker.com.au/2007/08/27/never-irc-as-root/#comment-2901 Erm .. simple up to a point but no further ... Some of us use an IRC client that's well-integrated with the desktop. So the acid test seems to be (in outline): # adduser irc-client # chown irc-client /usr/bin/konversation # chmod 4755 /usr/bin/konversation Now we can tweak irc-client's privileges to exactly what's needed and no more. But it doesn't work: the client declines to run, at which point "Can't Be Arsed" becomes a seductive option. Erm .. simple up to a point but no further …

Some of us use an IRC client that’s well-integrated with the desktop. So the acid test seems to be (in outline):

# adduser irc-client
# chown irc-client /usr/bin/konversation
# chmod 4755 /usr/bin/konversation

Now we can tweak irc-client’s privileges to exactly what’s needed and no more. But it doesn’t work: the client declines to run, at which point “Can’t Be Arsed” becomes a seductive option.

]]> By: etbe http://etbe.coker.com.au/2007/08/27/never-irc-as-root/comment-page-1/#comment-2897 etbe Mon, 27 Aug 2007 01:05:42 +0000 http://etbe.coker.com.au/2007/08/27/never-irc-as-root/#comment-2897 For office workers all protection ultimately comes down to what the sys-admin provides. In that case probably the best they can do is refer their sys-admin to my blog post. For office workers all protection ultimately comes down to what the sys-admin provides. In that case probably the best they can do is refer their sys-admin to my blog post.

]]> By: Scott Robinson http://etbe.coker.com.au/2007/08/27/never-irc-as-root/comment-page-1/#comment-2896 Scott Robinson Mon, 27 Aug 2007 00:40:08 +0000 http://etbe.coker.com.au/2007/08/27/never-irc-as-root/#comment-2896 Yes, someone who could run as root can easily not. I was thinking about users who don't have root access. University accounts, the typical office worker, and younger family members are examples. Personal data protection is what I'm thinking about. Yes, someone who could run as root can easily not.

I was thinking about users who don’t have root access. University accounts, the typical office worker, and younger family members are examples. Personal data protection is what I’m thinking about.

]]> By: etbe http://etbe.coker.com.au/2007/08/27/never-irc-as-root/comment-page-1/#comment-2894 etbe Mon, 27 Aug 2007 00:16:30 +0000 http://etbe.coker.com.au/2007/08/27/never-irc-as-root/#comment-2894 Both 1 and 2 can be easily implemented by anyone who might consider running irc as root. If someone has no root access on any machine then they can usually get multiple user accounts if they wish. The last time I lacked root access was when using time sharing systems at university, I had accounts on several machines and used them for different tasks - mostly for convenience but there were some security benefits too. 3 is a default configuration of the SE Linux strict policy. I'll start writing about that when I have it working well in Debian again. Both 1 and 2 can be easily implemented by anyone who might consider running irc as root.

If someone has no root access on any machine then they can usually get multiple user accounts if they wish. The last time I lacked root access was when using time sharing systems at university, I had accounts on several machines and used them for different tasks – mostly for convenience but there were some security benefits too.

3 is a default configuration of the SE Linux strict policy. I’ll start writing about that when I have it working well in Debian again.

]]>