[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 12/07/11 17:57, Grant Sewell wrote: > On Tue, 12 Jul 2011 14:12:49 +0100 > Kevin Lucas wrote: > >> Just been reading the LinuxUser mag and tried this from Joanna >> Rutkowska It shows how insecure a root shell can be s/root shell/X11/ > or just Never install the Xorg-X11-apps The bad guys will install their own apps that do the same thing, Xkey has been around since at least 2004 (probably earlier) which uses the same library calls to find the keyboard device and record key events. > Not a good situation to be in, but not one I imagine that will cause > that many problems in current systems. Either that or I'm being > short-sighted about this. May be. > It would seem that "xinput --test xx" will only show the input for the > current X session. My keyboard shows up as id 11. I just tried running > "xinput --test 11" in one window, opened another Gnome Terminal window > and sure enough, the xinput test picked up the keypresses from the new > terminal window, including after I had sudo su'd. Not good... but... I > then tried running "xinput --test 11", swapped to another virtual > terminal (CTRL+ALT+F1), logged in, ran a few commands and swapped back > to the X session... none of the keypresses from the "other" session > were picked up. Not surprising as the "other" session didn't involve > X. Yeap. > I can see some potential situations where this would be a potential > problem, but then to my mind those situations would only arise if the > system has been poorly setup anyway. It is a design flaw in X, the design assumption was that anything running as the local user can do anything to the current session. X also has other flaws... from the Open BSD page at Wikipedia ========================= Theo de Raadt commented that the aperture driver was merely "the best we can do" and that X "violates all the security models you will hear of in a university class."[14] He went on to castigate X developers for "taking their time at solving this > 10 year old problem." Recently, a VESA kernel driver has been developed, which permits X to run, albeit more slowly, without the use of the aperture driver[1]. ========================= Those who think GNU/Linux is a secure operating system have had their judgement corrupted by vendors who ship operating systems that are even less secure. -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq