Asking a user for the root password and executing root only commands...
Bengt Richter
bokr at oz.net
Wed Oct 30 15:45:47 EST 2002
More information about the Python-list mailing list
Wed Oct 30 15:45:47 EST 2002
- Previous message (by thread): Asking a user for the root password and executing root only commands...
- Next message (by thread): Asking a user for the root password and executing root only c ommands...
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Wed, 30 Oct 2002 18:54:06 GMT, Axel Vandevenne <axel at vandevenne.net> wrote: >Stuart D. Gathman wrote: > >> On Wed, 30 Oct 2002 09:55:03 -0500, Andrew Koenig wrote: >> >>> Axel> They should get a nice qt windows asking for the root password, >>> Axel> wich will then check if that's the correct password by probably >>> Axel> su'ing? >>> >>> Don't do this. If it is successful, it will tend to condition users to >>> believe that it is acceptable to supply the root password to a program >>> that is not su or sudo. That belief is dangerous, because it makes >>> users more vunlerable to social engineering. >> >> I second this. THink about it. I can send you a python worm that pops up >> a window, asks for root password, then uses the 'pty' module and 'su' to >> run any code I desire as root - python or otherwise. Any non-root code >> with the root password is effectively root code. >> > >I see your point, but you can do this in eg kcontrol too, wich is used a LOT >more than my program will ever be, and my program is for gentoo linux only >- if you are so naive to give your root password to any program, you'd >prolly be using windows or mandrake kind of distros... > >>What about delegating this task to sudo or kdesu (if KDE is installed)? >As I stated, I don't want them to have to configure sudo... >Kdesu seems nice though, but it has the disadvantage that you have to have >kde installed... > >Any other methods, or comments? >Do more people think it should be started as root (even though kde uses this >system to ask for a root password)? Switching security/access privileges should really require a guaranteed secure connection to a trusted program. To guarantee that, there has to be a signal that no userland program can intercept, like Ctrl-Alt-Del on a typical PC. Out of the box my NT handles that better than my OOTB Linux, which was default configured to shut down. I haven't played with that much. Is there a way to start up a login on Ctrl-Alt-Del (probably meaning take over the video and go into text mode)? I guess this is a bit OT... Regards, Bengt Richter
- Previous message (by thread): Asking a user for the root password and executing root only commands...
- Next message (by thread): Asking a user for the root password and executing root only c ommands...
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Python-list mailing list