James G. Sack (jim) wrote:
Ralph Shumaker wrote:
..
My point was merely to find out this: If someone was to _remotely_
crack rafael and set a keystroke logger, would the logger be able to
catch keystrokes entered at one of the login prompts on consoles F1-F6?
I'm sure that if I log in there as rafael, *then* the logger probably
would be able to log keystrokes. But what about *before* logging in?
At the login prompt? I'm guessing that if I never do anything with root
privileges while logged in as rafael who's (connected to the web), then
root exploits should be minimized, right? My question is that if I
enter user (and root) passwords only at login prompts, sniffers
installed with the privileges of a cracked regular user should never be
able to gain the passwords, right? Not even the password of the cracked
user, right?
As Greg has said, getting equivalent to shell access opens the door to
lots of bad things. Including escalating to root, by keylogging or maybe
some local vulnerability in a standard program.
But I'm wondering just what you mean by "If someone was to _remotely_
crack rafael"?
Previously in the thread, someone raised the question of physical
access. I already know that physical access == all bets are off.
"remotely" is in juxtaposition to this.
Perhaps you're imagining some wizard or script kiddie being able to get
into your computer whenever they wish? The purpose of not running
services is to prohibit allowing externally-initiated connections -- so
wizards-or-whatever have no ability to jump into your computer at will.
Kinda, yes. I know enough to be a danger to my own computer. I know
enough to be aware of the sorts of things that others _could_ do, given
the right circumstances. I do *not* know enough to know what those
circumstances might be, but I can ask questions and learn.
I take decent precautions against home invasion, but being a locksmith,
I know that *NO* precaution against physical access will always stop the
determined.
If some vulnerability is suddenly discovered in http (or smtp or
pop/imap), you may be at risk (until an update fixes the bug) _if_ you
stumble upon some site where a baddie is actively checking everyone that
comes by and trying to execute an exploit. Vulnerabilities are not
always exploitable, and a successful exploit may not even produce shell
access, so your risk is actually lower than you may be thinking, so I
wouldn't lose a lot of sleep over it. Just keep updating security fixes.
I don't know about keeping up with security fixes (i.e. I am not
specifically aware of security fixes), but am reasonably certain that I
do since I "yum update" whenever _any_ updates are available.
That reminds me. If I log into X as rafael, then [Ctrl][Alt][F1], log
in as root on that console, can I (from there) launch some gui program
into rafael's X session on [F7]? Like for example, gnome-terminal?
Assuming for a moment that user rafael (with no sudo access) were to get
cracked and subsequently slipped a keystroke sniffer, this would be a
way for rafael to get a root gnome-terminal without entering any
passwords where sniffers might be able to watch, right?
I don't think it's necessary or useful to choreograph the exact path; if
someone gets shell access they can access all your files, add, change or
delete all kinds of things, open outgoing connections, run cron jobs,
install sniffers, and with enough luck/work, probably get root access.
OK, I just thought that the login screens were not owned by joeUser, so
if someone gets shell access for joeUser, they would not be able to
monitor the login screens, and sniff the keystrokes there. Am I wrong?
(I'm not talking about X terminals.)
Maybe I'm just being overly paranoid.
Paranoid is good; overly paranoid starts becoming counter-productive;
where's the correct balance?
Good question. Who has the right answer?
--
The four greatest threats to Americans today:
1) Executive orders giving President carte blanche dictatorial power
2) Our current foreign policy (foreign occupation by our military)
3) The federal income tax and all other unconstitutional taxes
4) Unconstitutional spending by congress, exceeding revenues, year after
year, after year, after year, after year, leading ultimately to our
utter enslavement by the owners of the world bank
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
