Re: GNOME and superuser (privilege raising) integration
- From: Hongli Lai <h lai chello nl>
- To: Philip Van Hoof <spam freax org>
- Cc: desktop-devel-list gnome org
- Subject: Re: GNOME and superuser (privilege raising) integration
- Date: Tue, 13 May 2003 22:05:28 +0200
On Tuesday 13 May 2003 21:23, Philip Van Hoof wrote:
> Hongli Lai wrote:
> Hi there, let me first introduce myself: I have been the author of GNOME
> xsu which has new renamed to GNOME SuperUser and is now being maintained
> by Mark Finlay (I think Mark is on this list to).
> <http://xsu.sourceforge.net/>
>
> Most issues with the wrapping of the "su" application and integrating
> such applications with GNOME are
>
> 1) Security issues.
This is the same excuse that people have been coming up with for years (since
1999, or maybe earlier). -_-
If things keep up like this, nothing will ever get done.
Will a security expert step forward and implement it please?
> The best way is to use a SUID-root non-Gtk+
> application in stead of passing the password to "su" using a
> terminal-widget. However, some people dislike the idea of having
> _another_ SUID-root application and like the idea of using the standard
> "su" -or "sudo" command for this purpose. (Problem: su and sudo require
> a terminal for typing in the password -you cannot use a pipe for this-).
> Faking a terminal-widget might introduce security-issues.
How is it less secure than opening gnome-terminal, typing 'su' and typing in
your password manually using the keyboard?
> 2) The fact that not every Operating System that can host GNOME/Gtk+
> applications really needs a superuser utility (Gtk+ and GNOME also work
> on -older versions of- Windows) nor/or has such a utility. Adding the
> library to GNOME would add a impossible dependancy for some Operating
> Systems -and environments.
I thought GNOME is supposed to be a Unix desktop and that the Windows port was
only for fun?
> However, I _do_ like your idea and I _do_ think that it should be
> integrated with GNOME. Why? Because that way applications (like
> nautilus) and distrubutions (like RedHat) can then start using it in
> stead of inventing their own SuperUser-protocol. I also think that this
> library should not be GNOME-only; in stead should be available for "all"
> applications (so also KDE -and Console applications)... (PAM ?) and easy
> for developers to start using it. Maybe the people at freedesktop.org
> should agree on such a protocol? Talking to them might be a good idea (I
> have not checked but it is possible that they are already working on
> this issue).
I've thought about that. But in the end I decided to make it depend on GNOME
because
1) KDE already has kdesu anyway
2) The API is quite high-level. It's fully integrated with the GUI code.
3) I can't find a better way to communicate with su other than using a
terminal widget. openpty() works for my su (RedHat 7.2) but not for SuSE's su
for some reason. This makes it depend on libvte.
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]