[sf-lug] root, X11 8-O (was: GKsu has long been EOLed)

Michael Paoli Michael.Paoli at cal.berkeley.edu
Sat Feb 16 14:55:39 PST 2019


Well, another approach, rather than via ssh (and server only listening
on local) ... and in case where it's purely local ...

As root, one has access to ... well, lots.  So, not saying this is
best - but is quickly and dirty - and more secure than some
approaches ... the disadvantage is this gives root access to *all*
X stuff of the target (non-root) user running X ...
So, ... if one wanted to do similar to what I show below, but
more restricted, could just do *only* the relevant bits the
user has access to that are applicable for the local (but then
again, if that's all the user (presently) has and is using ...
something like, e.g. this:
for when I feel "tempted"(/"need") to fire up virt-manager as
root 8-O ... hey, already have X running as mere mortal user,
but need root for some of the things virt-manager does, but don't
want to do a whole bloody X11 session (let alone a full bloody
DE as root!), so ... "just" virt-manager and the bits root needs to
fire that up under mere mortal user's existing X session (okay,
slight excess on sucking up all that user has X access to at
present - but if that's just local anyway ...):
# cat Virt-manager
#!/bin/sh
DISPLAY="${DISPLAY:-:0.0}" \
XAUTHORITY="${XAUTHORITY:-/home/m/michael/.Xauthority}" \
exec >>/dev/null 2>&1 virt-manager ${1+"$@"}
#

Feel free to comment on the great/horrible security, etc.
(dis)advantages to the above approach (and other bits I mentioned about
specific X access/permissions) ... and, apologies that I've not already
(or at least not recently) looked on Rick's relevant web page to see if
that might already be covered there.

> From: "Akkana Peck" <akkana at shallowsky.com>
> Subject: Re: [sf-lug] GKsu has long been EOLed
> Date: Fri, 15 Feb 2019 16:50:14 -0700

> Rick Moen writes:
>> > I have a local sshd, but that gives Permission denied even after I
>> > type root's password. I guess I'd have to enable ssh-as-root, at
>> > least for localhost?
>>
>> Yes.  That's what I referred to, when I said I'm 'not a member of the
>> must-use-sudo church'.  So, to correct the root user's lack of login
>> ability:[1]
>
> I have a root password and can su to root just fine.
> It was the PermitRootLogin part in sshd_config that I didn't have
> (and I definitely wouldn't want to add it except with the limitation
> to localhost, which you mention later.)




More information about the sf-lug mailing list