[Gllug] Fedora 11 gets it wrong

John Edwards john at cornerstonelinux.co.uk
Thu Jun 11 08:54:35 UTC 2009


On Wed, Jun 10, 2009 at 11:14:54PM +0100, Nix wrote:
> On 10 Jun 2009, Peter Corlett told this:
<snip>
>> Basically, GUIs as typically implemented on Linux are a security risk and a
>> performance drag on the system, even if they're not actually being used.
> 
> OK, I'm curious here. How? setuid root X apps? (They can't be setuid
> root Gtk apps unless someone has actually hacked Gtk itself to remove
> the check that stops you doing that.)

Well, the X binary itself is setuid to allow non-root users to
start it.

I can't remember any security holes where just the presence of X
could lead to root access, but I suppose it could be theoretically
possible. Mix it in with some loading of badly written or non-free
graphics drivers.


I have a habit of removing as much as possible of X from any internet
accessible server, but that's mainly a policy of only installing what
you need, and to stop other users getting into bad habits like
unencrypted remote X sessions.

Just noticed that pulseaudio is also setuid, so paranioacs should
also remove that. After all the most a server should need is beep,
(unless you want to scare the data centre staff).


-- 
#---------------------------------------------------------#
|    John Edwards   Email: john at cornerstonelinux.co.uk    |
#---------------------------------------------------------#
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 204 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20090611/00c630b2/attachment.pgp>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug


More information about the GLLUG mailing list