Friday, 2 July 2010
Improved sdsudo security
I am testing a modification to the SD sdsudo
utility that addresses a potential security issue I mention here. As I mentioned there, I don’t think the way sdsudo
works at present is a security issue when used as intended—as a one-logged-in-user-at-a-time desktop/laptop environment. But more security with no downsides is never a bad thing.
The mod is based on Daniel Stone’s “xhost plus considered harmful” post. If you want to try this yourself, open /usr/bin/sdsudo
as root in your favorite text editor. Find the line
xhost +local:root 1>&2
and change it to
xhost +SI:localuser:root 1>&2
A couple tests indicate this works. I’ll need to do some more testing to see if there are any gotchas.
I am hoping that SkinnySqeezey won’t need sdsudo.