From: Ron Joffe (rjoffe_at_yahoo.com)
Date: Fri Mar 23 2007 - 14:58:50 CET
From: Ron Joffe <rjoffe@yahoo.com> Date: Fri, 23 Mar 2007 09:58:50 -0400 Message-Id: <200703230958.50468.rjoffe@yahoo.com> Subject: Re: [suse-sles-e] SLES10 sux (== /bin/su) - broken??
I personally utilize sux quite heavily.
My basic scenrio is:
ssh -X to a local user
sux -
run_graphical command
Since the YAST2 modules are getting harder and harder to run from a non
graphical environment, this is the only way we have to run YAST2 from a
remote machine. Root is locked out of ssh for security reasons.
I welcome and suggestions, alternate methods, security issues, etc.
I would really have liked to have seen the sux command stay (at least as a
wrapper to something else) if nothing else then for backwards compatibility
of my brain (and the muscle memory of my fingers as I type the sux command).
Ron
On Friday 23 March 2007 06:49, Rasmus Plewe wrote:
> On Thu, Mar 22, 2007 at 11:35:11AM -0700, Alexei_Roudnev wrote:
> > 1) sux change is not documented in SUSe (about systemuser=1 option).
> > Guess what 99% users will do - they will run
> >
> > xhost + (on their desk)
> > export DISPLAY=...
> >
> > so no security at all.
>
> I think in 99% running a graphical desktop as root shows a questionable
> security awareness. And you're right, people doing this are probably
> likely to mess with xhost as well. But then, if your security awareness
> is that low, you probably have lots of other security problems anyway,
> and an xhost is the least of them...
>
> FWIW, my personal preference for changing user for more than one command
> has always been ssh.
>
>
> Regards,
> Rasmus
-- Ron Joffe Siena Tech, Inc. 120 Old Bridge Lane Chapel Hill, NC 27517 (919) 928-0404 --------------------------------------------------------------------- To unsubscribe, e-mail: suse-sles-e-unsubscribe@suse.com For additional commands, e-mail: suse-sles-e-help@suse.com
This archive was generated by hypermail 2.1.7 : Fri Mar 23 2007 - 17:03:19 CET