>On Fri, 19 Apr 2013 20:22:54 +0200 >"Niels Terp" <nielst...@comhem.se> wrote: > > [snip] > > I know that I am poking my face into a beehive here, and I am well > aware of the dangers by logging in as root. It is possible on my SuSE > system, and have never given me any problems. And I ALLWAYS have a > backup of my system. So PLEASY tell me, how can I autostart KDE, and > still log in as root ?
Words fail to express just how bad an idea this is. Yet, I must try. The first and main problem, obviously, is that running as root destroys the compartmenalization of your system. This compartmenalization is critical to normal and RELIABLE system operation. I won't spend more words on that problem, because there is a much bigger problem here. It specifically has to do with KDE. One word before I begin. I have never used KDE, in the sense that I have never written a program that uses KDE. What follows has been pieced together by reling on documentation and the general knowledge regarding objects and object-based programing systems. While I may be wrong regarding KDE, I am not wrong regarding the general idea. KDE is object based. I am sure you and everione else reading this knows what an object is. For the sake of those who don't, let me reiterate. An "object" is a construct consisting of code and data. It has an internal state. The state is held in the data. The code implements functions. Some of these functions are public - other object can call them - and some functions are private - only the object itself can call them. As a rule, the only way to access an objects data is to call a function in that object and let it return data to you. KDE has something called Kparts. I think Kparts is the main inter-process comunication method used, but I may be wrong. If I am wrong, that would be very good. Kparts are objects. They ferry data from one process to another. If I know this part correctly, the undelying method by which this is done is by using shared memory to contain said objects. So far so good. Now, application A uses Kparts to send information to application B. A passes an object to B. The only way for B to gain the data is to get it from within the object and there is only one way to do this: to call a function within the object. Let me reiterate: when objects are used for IPC (inter-process comunication), the only way for the receiver to gain the passed data is for it to execute the passed object. The question now, ofcourse, is what happens if that function that returns data is booby-traped to take over the receiving application? There is no way for the receiving application to know what will happen once it passes control to the object yet it has no other choice but to do so. Thus, objects used for IPC enable simple and easy process takeover. Ultimately, there vulnerabilities are unprotectable. Regarding your idea to log in to a KDE session as root... I hope I don't have to go on explaining why is that such a bad idea. With the system being completely de-compartmenalized, you will have no security both from legitimate errors and mistakes and from any and all attacks. And without being protected from errors and mistakes, you will not have a reliable system. One final word. While I may be wrong regarding Kparts and KDE, KDE is not the only thing in existance which uses object-based IPC. I hear GNOME also uses them, but the biggest culprit.. realy, the elephant in the room that needs to be mentioned is Windows. If I read the documentation right, all the way since 1991. (or some such) and the adoption of COM, MS-DOS and Windows have used object-based IPC as their workhorse. This is the number one problem of Windows. And it has gotten worse over the years. The most recent SURE instance of this being used that I could find is in the newest Windowses Power shell. One of the key selling points for the Power shell is how the pipes are implemented using object passing. The sales pitch goes on to elaborate how previous versions of the Windows shell would serialize object before passing them (serialization means that the data was extracted from the object and passed alone) but the new Power shell passes object and thus eliminates the cost of serialization and deserialization. In my mind, the possibilities for abuse of that are endless. -- You don't need an AI for a robot uprising. Humans will do just fine. --Skynet -- http://linuxfromscratch.org/mailman/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page