Friday, 2 July 2010

Improved sdsudo security

I am testing a modification to the SD sdsudo utility that addresses a potential security issue I mention here. As I mentioned there, I don’t think the way sdsudo works at present is a security issue when used as intended—as a one-logged-in-user-at-a-time desktop/laptop environment. But more security with no downsides is never a bad thing.

The mod is based on Daniel Stone’s “xhost plus considered harmful” post. If you want to try this yourself, open /usr/bin/sdsudo as root in your favorite text editor. Find the line

xhost +local:root 1>&2

and change it to

xhost +SI:localuser:root 1>&2

A couple tests indicate this works. I’ll need to do some more testing to see if there are any gotchas.

I am hoping that SkinnySqeezey won’t need sdsudo.