While the argument that being forced to su to root is somehow less secure then GDMing as root isn't great, your counter-argument is totally broken.
Yes, your root-owned binaries are protected from modification by programs running under your (non-root) user credentials. However, this certainly doesn't mean that you are accessing su (or other setuid binaries) in a secure fashion. If the attacker puts "export PATH=~/.evilhackerpath:$PATH" in your path and that directory contains su (or a trojan'd bash, ...) that logs your keystrokes you lose. A clever attacker will pass through everything to the real su so that you never know the difference. If they don't do it through this means, they could (1) directly alter the process image in memory of a trusted process (eg, your shell) to do nasty things. (2) Add some creative LD_LIBRARY_PATH statements (or other library effecting env vars) to load trojan (passthrough) versions of standard libraries. (3) ... The safe way to become root, if you think your normal user account may be violated would be to log in via the console (or another root-owned process). Any time you enter a process space under the control of an attacker you can be compromised. On another note: What the heck does anyone *do* as root that requires a GUI? Your point about why running as root on a multiuser system is bad is quite right. Cheers, Adam On Wed, 2003-04-30 at 01:00, Robert McQueen wrote: > On Tue, Apr 29, 2003 at 11:33:53AM -0700, Michael Toomim wrote: > > If a hacker gets access to your account, and then you su to root, he'll > > sniff your password and get root access. Being a user who periodically > > logs in as root is just as insecure as being a user who logs in as root. > > > > Except that in this case, it's actually LESS secure. Say a hacker gets > > into my user account. If I were to login as root from GDM, the hacker > > would still be trapped in my user account. But if I *can't* log in as > > root from GDM, I'll be forced to su to root instead from my user > > account, and the hacker will get my password (and consequently root access). > > This argument has the minor disadvantage of being completely wrong. If a > hacker gets access to your user account, then the system utilities or > kernel etc cannot have been changed to obtain your root password during > the normal utilisation of your system. Your /bin/su or whatever is still > owned by root and there's no way the hacker-as-a-user could modify it to > log or yield you root password. THIS IS THE POINT OF USING YOUR COMPUTER > AS A USER, AND HAVING ALL THIS STUFF OWNED BY ROOT! [1] > > Take the other point of view. What if you use root like your normal user > account? The hacker gets access to this by the same means he gets access > to your user account before (probably idiocy in this case?) and not only > can he turn your HDD into a brick, destroy your data, he can also access > the user accounts of all the people on your system, and tap all their > passwords and keypresses for any other systems they use. Now which is > less secure? > > Regards, > Rob
