Re: running X as root in centos 6

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



--On Wednesday, July 27, 2011 02:20:48 PM -0500 Les Mikesell
<lesmikesell@xxxxxxxxx> wrote:

> OK, now look at that from the other direction.  I'm as concerned about 
> the security of my own account as anything else (and in fact there may 
> be root ssh keys accessible to my account). If something is not suitable 
> to be run as root, why should I believe that it is suitable to run under 
> my account?

Sure, that's fine if we're talking about known defects.  Absolutely
they should be fixed.  If people report them, they usually are.

However, where those recommendations come from are more having to
do with unknown defects, which will always be there regardless of 
what software your're running (or at least often enough that the
few cases of proven-correct programs aren't worth considering).

The difference is that if you're using an unprivelged account and
you hit a defect, likely the worst thing that will happen is the 
program will core dump.  (Yes, the worst thing may actually be that
it tromps everything in your home directory, but that is in some
sense less likely to occur in the general case.)

But if you're running that program as root your worst case is 
crashing the whole machine (instead of just the program), or wiping
out all data on the machine (instad of just your home directory).

> Sympathy isn't what I'm looking for.

And FWIW my comment wasn't intended to be offensive.

> I'd rather have some assurance 
> that a tool is safe to run under any circumstance

And anyone who offers such assurance is generally selling you
a pig in a poke.  Such proofs are generally NP-hard (IIRC; I'm
sure someone will correct me if I used the wrong classification).

Short version: Programs that are intended to be run in a high
risk environment get more scrutiny, are less likely to cause a
problem, but can cost _significantly_ more to build.  Run other
stuff in a high risk environment and you're gambling.  That
principle applies throughout the industry, not just here.

Devin

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux