Re: Lock Screen as root

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> Erik Hemdal wrote:
> 
> > On the gnome-list, a posting noted that one can bypass the 
> screensaver
> > anyway with CTRL-ALT-F1, so logging in as root is dangerous.  But I
> > tried this, and while I can bypass the screensaver, I still 
> must log in
> > to my virtual terminals.  So no loss of security.
> 
> If root did a graphical login, you're right.
> 
> But if root has started the X session with "startx" in one of 
> the virtual
> terminal, you can go to that virtual terminal, do a Ctrl-C (killing X)
> and get a root shell.

Thank you Roberto,  I was beginning to think that maybe I had grown an extra
head or something that made others not want to answer the question.  Or
maybe this is another bit of GNOME design wisdom that is just
incomprehensible to me and obvious to everyone else.  I appreciate that you
took the time to try to explain a dangerous case.

I tried your idea and you're right, of course.  Launching X via startx is
insecure because it does nothing to secure root's original login shell.  But
preventing root from locking the screen doesn't make this "startx" case more
secure.  And preventing locking after root does a graphical login _does_
make the system a bit less secure; particularly when the Preferences GUI
says root can do it.  

Certainly, you don't want to routinely do this.  But this behavior seems
inconsistent to the point of being a defect.  I can understand that there
might be a security hole if the screensaver has to make connections to what
might be a remote X server (I can remember at least one system on which X
would fail to start if the network interface was unterminated).  But if this
is so dangerous, why not prevent graphical root logins altogether?

I'm still in the hunt for a good explanation of the behavior, so I'll keep
looking.

Erik

> 
> Best regards.
> -- 
>    Roberto Ragusa    mail at robertoragusa.it


-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux