Ralph Shumaker wrote: >.. > If I run X as rafael, and someone uses an exploit to crack rafael, they > could conceivably use passwd to set their own password. This seems like > a bad thing in a very direct way if rafael also has full sudo > privileges. But they could probably, almost as easily, set a keystroke > sniffer and wait for rafael to pull up a gnome-terminal and "su -" to > root. Maybe I should only become su on a console (F1-F6)???
I am far from the most paranoid guy on the block, but neither am I naive, and I don't really spend much time worrying that somebody will exploit a bug in javascript (or something like that) when I am online and get access to my machine as <me>. I am behind a firewall that I have some confidence in (arguably misplaced, since I haven't audited the source), and I know that I am not running any services that I don't know about. I pay attention to what services are running and if I ever found something I didn't install/enable, I would sequester that machine (or disk) and install a fresh OS to replace it. Nor do I worry about somebody pointing some spookish hi-tech device at my keyboard or screen. If someone were targeting me, they could most easily just break in and steal (or bug/sabotage) my computer. I just don't try to protect against that risk. No doubt there are risks I am not aware of and a possibility of some intrusion installing something sophisticated that I couldn't easily detect, but I have decided not to worry about it. I do feel I have reduced security risks to below the risk of hardware failure or accidental operator error. Regards, ..jim (Everything is a tradeoff) -- KPLUG-List@kernel-panic.org http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
