[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: FC4 "sudo su -" breaks root's access to X server



On Sat, 2005-06-25 at 23:15 -0500, Jonathan Berry wrote:
> Hi all,
> 
> I've noticed that with FC4 if I use "sudo su -" to get a root shell
> and try to open an X application (like a GUI text editor, for
> instance) I get the error:
> Xlib: connection to ":0.0" refused by server
> Xlib: No protocol specified

I saw this mentioned elsewhere in context of pam_console and it seems to
be a bug - but really, it is a BAD idea to allow sudo to do anything
that can result in a root shell. Really bad idea. I know that is the
default on OS X - but OS X has a lot of bad defaults (which why everyone
except me has to fix permissions so often - I never log into OS X as an
admin and thus permissions never get screwed up)

sudo is to allow certain users to be able to run certain tasks that they
otherwise would not have sufficient privilege to run. It should ONLY be
used for users who should not have the root password, but for which
other authentication mechanisms (such as pam and/or suid) are not proper
ways to give them access to something they need to do (IE a shell script
that needs permission to mount an iso image over loopback, or a junior
admin who needs permission to restart apache)

The problem with sudo is that if sudo is configured to allow a user to
spawn a shell, then the root account is no more secure than that users
password.

If you want to run a single command as root and you have root access,
you can do so via

su --command="command to run"

If you need a root shell, use su - (or just plane su if you don't need
to get roots environment)
It is a bad idea to use sudo to become root. Even on OS X - which seems
to be what made the notion of doing that popular.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]