[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Tue, 12 Jul 2011 19:45:04 +0100 Simon Waters wrote: > On 12/07/11 17:57, Grant Sewell wrote: > > On Tue, 12 Jul 2011 14:12:49 +0100 > > Kevin Lucas wrote: > > > >> Just been reading the LinuxUser mag and tried this from Joanna > >> Rutkowska It shows how insecure a root shell can be > > s/root shell/X11/ > > > or just Never install the Xorg-X11-apps > > The bad guys will install their own apps that do the same thing, Xkey > has been around since at least 2004 (probably earlier) which uses the > same library calls to find the keyboard device and record key events. > > > Not a good situation to be in, but not one I imagine that will cause > > that many problems in current systems. Either that or I'm being > > short-sighted about this. > > May be. > > > It would seem that "xinput --test xx" will only show the input for > > the current X session. My keyboard shows up as id 11. I just > > tried running "xinput --test 11" in one window, opened another > > Gnome Terminal window and sure enough, the xinput test picked up > > the keypresses from the new terminal window, including after I had > > sudo su'd. Not good... but... I then tried running "xinput --test > > 11", swapped to another virtual terminal (CTRL+ALT+F1), logged in, > > ran a few commands and swapped back to the X session... none of the > > keypresses from the "other" session were picked up. Not surprising > > as the "other" session didn't involve X. > > Yeap. > > > I can see some potential situations where this would be a potential > > problem, but then to my mind those situations would only arise if > > the system has been poorly setup anyway. > > It is a design flaw in X, the design assumption was that anything > running as the local user can do anything to the current session. > > X also has other flaws... from the Open BSD page at Wikipedia > > ========================= > Theo de Raadt commented that the aperture driver was merely "the best > we can do" and that X "violates all the security models you will hear > of in a university class."[14] He went on to castigate X developers > for "taking their time at solving this > 10 year old problem." > Recently, a VESA kernel driver has been developed, which permits X to > run, albeit more slowly, without the use of the aperture driver[1]. > ========================= > > Those who think GNU/Linux is a secure operating system have had their > judgement corrupted by vendors who ship operating systems that are > even less secure. In all honesty, there is no such thing as a "secure operating system" - there are only levels of insecurity. Grant. -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq