[OT] Re: Running graphical programs as root

Ray Andrews rayandrews at eastlink.ca
Mon May 14 17:35:49 CEST 2012


On 14/05/12 04:55 AM, Kevin Chadwick wrote:
> On Sat, 12 May 2012 07:28:18 -0700
> Ray Andrews wrote:
>
>> Very interesting! So I'm not the first to wonder about better
>> protections. I will look at these things.  At the least I'll instruct it
>> that VLC is only permitted to play music ;-)
> You managed to pull me out of silence yet again. Hopefully before you've
> spent any time. I'll say this.
Thanks Kevin, I'll save your post as a good overview of this subject.  
However, so far I have had zero security issues on my system which is 
why I have been looking at this issue 'backwards', i.e. I have not been 
asking 'how can I get more security?' rather I have been asking 'why 
can't root play music with VLC without endangering the system?' which is 
almost to ask: 'how can I turn that security OFF because I don't think I 
need it'. But I will examine this RBAC and I'm sure I will learn more 
about that topic.

>
> You have to know about what a program needs. RBAC has a
> learning mode which builds policies for you but then only allows
> complete system enforcement to prevent any false sense of security, so
> ANYTHING you haven't done during learning mode, you won't be able to do
> once enabled and updates may require a re-learn/maintenance. It's
> security is better than selinux that uses LSM but also requires a
> grsecurity kernel which almost no distro provides and aren't for your
> average user. (sonnet and alpine)
>
>
> I'm not a fan of Fedora partly due to it's minimum system requirements
> but Fedora probably? has the most selinux policies by default. You may
> need to put selinux into enforcement mode though, not sure if it's
> enabled by default for some programs or not, I haven't really looked at
> running selinux since selinux was in beta in Fedora 3 or something. It
> also has an selinux sandbox letting you run apps inside that trounces
> any windows sandbox.
>
>
> There's also a lot you can do simply with traditional unix security
> tools, like firewalls, chroot, users/groups and permissions. (grossly
> underestimated in fact, it's so useful mainly due to the unix philosophy
> of everything is a file but this philosophy is unfortunately beginning
> to be eroded with recent developments like polkit, greater usage of IPC
> like Windows and also amalgamation of configs).
> _______________________________________________
> Xfce mailing list
> Xfce at xfce.org
> https://mail.xfce.org/mailman/listinfo/xfce
> http://www.xfce.org
>



More information about the Xfce mailing list