[OT] Re: Running graphical programs as root
Ray Andrews
rayandrews at eastlink.ca
Fri May 11 17:45:22 CEST 2012
Gentlemen,
My rantings about 'root' and all raised some interesting responses. It's
not strictly on topic, so I hope the moderator will let me know if I
shouldn't wander off like this.
On 09/05/12 10:57 AM, houghi wrote:
>
> If root types ' rm -r / ' well ... he typed it, too bad. OTOH if I'm
> playing an .mp3 as root and there's some devilish exploit in there,
> might there not be some way of monitoring for that?
> No. Because it has no idea if it is some exploit or if it is expected
> behaviour. Perhaps my idea of fun is listening to Wagner while I delete a
> hard drive.
But that misses the point. If *I* delete a hard drive via my own KB
while listening to Wagner -- hey, 'Twilight of the Gods' would be the
thing to listen to, wouldn't it ;-) -- then that's fine. But is it
reasonable to expect that VLC would delete a hard drive? Ever? Even when
I'm listening to AC/DC? What I'm reaching for is some sort of 'guardian'
program that would keep an eye on a few user choosable rules:
-VLC: never allowed to delete HDDs.
-Kate: only allowed to modify currently loaded file.
-Internet Chess: chess moves only, no loading of hacked kernels.
- ...
It seems to me that even when running as root, there might still be some
sort of monitoring going on that might check for obvious mischief. Eg.
If someone has hacked into my machine there could be a popup to that
effect. It would make 'root' a bit less dangerous. Dunno, it's just an
idea.
Security software helps combat
malware and close of rediculously open services but actually likely
makes for a higher attack surface for a hacker.
Basically you can almost garantee stopping a machine doing what a hacker
wants it to do, you can't stop a hacker doing what you do anyway which
probably includes everything important to you. Often they want your
computer not your info though. To protect your info you need simple
bug-free code, aka OpenBSD and a scriptless browser and/or a good
seperation strategy etc..
If you want a secure computer use unix.
The saying goes
If you need a secure computer, don't connect it to the internet, don't
turn it on, and bury it in a shielded bunker.
There are many layers and details to exploits. You just make it as
difficult as makes sense to you. On linux they need to exploit the
browser and then somehow get a shell and run other exlpoits on local
programs to raise priviledges and hope no other security technology is
around.
That's a good example. Why can't I be informed if someone is trying to
start a shell on my machine remotely? It's a bit scary that when one is
on the internet, one has almost zero information on what is going on.
When I choose to download a file, at least I know that I've done that.
But why not give me some idea that someone is hacking into my machine?
Like you say, there are so many 'layers', but it seems to me that the
whole situation needs some new ideas. I know that some 'nix machines
are bus-stops, with people coming and going all the time, but my machine
is single user and I'd like to be advised if *anyone* is trying to use
it besides me.
More information about the Xfce
mailing list