![](https://seccdn.libravatar.org/avatar/93cf6319a8961d144cf9d0dc09f5e319.jpg?s=120&d=mm&r=g)
O' knowledgeable ones: I have Ximian-GNOME on my system (SuSE 7.3), and I use their Red Carpet updater service (a kind of "uber" RPM handler). It occurs to me to wonder about security. If I run the client as a user, I get prompted to provide my root password, or to run the RC client in unprivileged mode -- which means that I can look at available updates, but I can't have them installed. So, to get any useful work done, I need to provide the root password at the client prompt. This strikes me as dangerous, since the client could easily report my root password to Ximian (not that I think they are interested...) or to a third party (like a former employee who left a backdoor...ok, I'm reaching, but...). On the other hand, if I login to my system as root, and run Red Carpet from there, am I not offering a tremendous amount of access to an application that performs a bunch of transactions over the internet. What's the least-scary approach that retains the convenience of Ximian Red Carpet? Note, I would prefer not to change my root password after every time I run the utility. That way lies madness or the risk of forgetting the root pw... -- Kevin McLauchlan Chrysalis-ITS, Inc. "Ultimate Trust(TM)"
![](https://seccdn.libravatar.org/avatar/4dbb0a47a3024883de1d2d93417a3aee.jpg?s=120&d=mm&r=g)
Either: a) If you really want to use Red Carpet (which occasionally will want you to randomly remove various packages (often KDE related packages, I've noticed...), use good ol' sux to give yourself a root session with X settings within your normal user login (Tue 26 Mar 2002 15:16) ogley@jogley:pts/0 ~> sux - Password: jogley:~ # red-carpet b) Use your unpriviledged Red Carpet sess to see what's available, then point your favorite FTP client at spidermonkey.ximian.com and download the packages, then install them as root.
What's the least-scary approach that retains the convenience of Ximian Red Carpet? Note, I would prefer not to change my root password after every time I run the utility. That way lies madness or the risk of forgetting the root pw... -- James Ogley, Unix Systems Administrator, Pinnacle Insurance Plc james.ogley@pinnacle.co.uk www.pinnacle.co.uk +44 (0) 20 8731 3619 Using Free Software since 1994, running GNU/Linux (SuSE 7.x) This email was created and sent with Ximian Evolution 1.0.2 NEW: Advogato diary at www.advogato.org/person/riggwelter
*********************************************************************** CONFIDENTIALITY. This e-mail and any attachments are confidential and may also be privileged. If you are not the named recipient, please notify the sender immediately and do not disclose the contents to another person, use it for any purpose, or store or copy the information in any medium. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Pinnacle Insurance Plc. If you have received this e-mail in error please immediately notify our Helpdesk on +44 (0) 20 8207 9555. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com **********************************************************************
![](https://seccdn.libravatar.org/avatar/93cf6319a8961d144cf9d0dc09f5e319.jpg?s=120&d=mm&r=g)
James, Ahhh... Thanks for a concise and useful (for this linux doofus) reply. I was unaware of sux. Or, if I ever read about it, I didn't realize the implications at the time. Now I recognize at least one or two ... Very handy. So-o-o-o... then my next question would be... between your suggestions a) and b), is there a reason (like security or some other implication of which I'm unaware) to choose one solution over the other? The solution with "sux -" seems much more convenient. Is there an implication/hazard that the more roundabout procedure would avoid? And for bonus points: Does Red Carpet use only the RPM database on my system, or would installing packages individually (by hand) cause Red Carpet to "lose sync" on those packages? Regards, /kevin On Tue, 2002-03-26 at 11:50, James Ogley wrote:
Either:
a) If you really want to use Red Carpet (which occasionally will want you to randomly remove various packages (often KDE related packages, I've noticed...), use good ol' sux to give yourself a root session with X settings within your normal user login
(Tue 26 Mar 2002 15:16) ogley@jogley:pts/0 ~> sux - Password: jogley:~ # red-carpet
b) Use your unpriviledged Red Carpet sess to see what's available, then point your favorite FTP client at spidermonkey.ximian.com and download the packages, then install them as root.
[snip administrivia] -- Kevin McLauchlan Chrysalis-ITS, Inc. "Ultimate Trust(TM)"
participants (2)
-
James Ogley
-
Kevin McLauchlan