Re: [suse-sles-e] SLES10 sux (== /bin/su) - broken??

From: Alexei_Roudnev (Alexei_Roudnev_at_exigengroup.com)
Date: Fri Mar 23 2007 - 19:09:05 CET

• Next message: Rainer Duffner: "Re: [suse-sles-e] Strange message in syslog (SLES10 + dell 2950)"
• Previous message: Alexei_Roudnev: "[suse-sles-e] Strange message in syslog (SLES10 + dell 2950)"
• In reply to: Rasmus Plewe: "Re: [suse-sles-e] SLES10 sux (== /bin/su) - broken??"
• Next in thread: Rasmus Plewe: "Re: [suse-sles-e] SLES10 sux (== /bin/su) - broken??"
• Reply: Rasmus Plewe: "Re: [suse-sles-e] SLES10 sux (== /bin/su) - broken??"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Message-ID: <0ea301c76d76$5856cac0$6401a8c0@alexh>
From: "Alexei_Roudnev" <Alexei_Roudnev@exigengroup.com>
Date: Fri, 23 Mar 2007 11:09:05 -0700
Subject: Re: [suse-sles-e] SLES10 sux (== /bin/su) - broken??

Not a desktop, just an installation:
- you slogin -X or sux as a root
- run standard scripts (having x11 context, but your desktop on your desk is
not a root, of course)
- root starts scripts which can su or sux to the system users (such as mysql
or oracle) to do a job.

Nothing is wrong in such scenario and nothing is unsecure.

You can't use ssh to start command in X11 mode, and it is what is required
in many cases (esp. with Oracle).
On the other hand, 90% of oracle installation tasks (creating directories,
configuring disks and so on) is doing as a root,
so you can't just login as an oracle (which dont exists when you login, btw)
and then su root on demand.

And it is only single example of SLES9 / SLES10 incompatibility and, worst,
undocumented changes.

----- Original Message -----
From: "Rasmus Plewe" <rplewe@suse.de>
To: <suse-sles-e@suse.com>
Sent: Friday, March 23, 2007 3:49 AM
Subject: Re: [suse-sles-e] SLES10 sux (== /bin/su) - broken??

> On Thu, Mar 22, 2007 at 11:35:11AM -0700, Alexei_Roudnev wrote:
> > 1) sux change is not documented in SUSe (about systemuser=1 option).
Guess
> > what 99% users will do - they will run
> >
> > xhost + (on their desk)
> > export DISPLAY=...
> >
> > so no security at all.
>
> I think in 99% running a graphical desktop as root shows a questionable
> security awareness. And you're right, people doing this are probably
> likely to mess with xhost as well. But then, if your security awareness
> is that low, you probably have lots of other security problems anyway,
> and an xhost is the least of them...
>
> FWIW, my personal preference for changing user for more than one command
> has always been ssh.
>
>
> Regards,
> Rasmus
> --
> Rasmus Plewe --- Linux Beta Test Coordinator
> SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
> Maxfeldstrasse 5, D-90409 Nuernberg
> tel.: +49-911-74053-644 fax: +49-911-74053-483
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: suse-sles-e-unsubscribe@suse.com
> For additional commands, e-mail: suse-sles-e-help@suse.com
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: suse-sles-e-unsubscribe@suse.com
For additional commands, e-mail: suse-sles-e-help@suse.com

• Next message: Rainer Duffner: "Re: [suse-sles-e] Strange message in syslog (SLES10 + dell 2950)"
• Previous message: Alexei_Roudnev: "[suse-sles-e] Strange message in syslog (SLES10 + dell 2950)"
• In reply to: Rasmus Plewe: "Re: [suse-sles-e] SLES10 sux (== /bin/su) - broken??"
• Next in thread: Rasmus Plewe: "Re: [suse-sles-e] SLES10 sux (== /bin/su) - broken??"
• Reply: Rasmus Plewe: "Re: [suse-sles-e] SLES10 sux (== /bin/su) - broken??"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Fri Mar 23 2007 - 21:12:56 CET