John Aldrich wrote:
> On Mon, 06 Sep 1999, you wrote:
> >
> > Not so obvious to me, I am afraid. If you want to use kpackage or linuxconf it
> > is pretty convenient. And adding 127.0.0.1 is no security hole IMO. (Please tell
> > me if you think otherwise).
> >
> Well, my feeling was that kpackage works fine here as a normal user.
> It MAY ask me for my password if I want it to do something that only
> ROOT can do (at least that's what the Mandrake update program does)
> however, I never need to run "xhost +localhost" for kpackage. I don't
> know about linuxconf as I've never tried to run it under X.
> John
Yeah but I suspect that it may be running something suid. I dunno but it might
actually be a possible security hole. Then again it is only in your machine so it
depends on how paranoid you are. If it is not a critical server I would not worry too
much. Regarding adding localhost, you can come up with an attack that would work this
way. Get into the machine by whichever means (lp maybe?) even if it is as a
restricted user. Then since your X is open for everybody you can tap on the keyboard
and just wait for the sap to type the root password. And there you go. It used to be
that you could listent and look at what people were doing in the old SGi Indies.
I don't know this may be just bullshit but I think it can be done.
