root "login" xterm to increase security?
- Date: Fri, 14 Sep 2018 11:16:56 +1000
- From: Zenaan Harkness <zenaan@xxxxxxxxxxxx>
- Subject: root "login" xterm to increase security?
Anyone know if it's possible to get xterm (or xfce4-terminal or any
other terminal for that matter) to be a "native/ clean login
terminal", to increase security when running root commands?
To: CypherPunks <cypherpunks@xxxxxxxxxxxxxxxx>
On Thu, Sep 13, 2018 at 04:48:58PM +1000, Zenaan Harkness wrote:
> So someone cracking into one's local user account via browser sploit,
> one of the first acts would likely be to plant a password capture
> script, e.g. wrapping sudo or something otherwise requiring password
> Once a password is obtained, via brute force or trojan, sudo gives
> the entire system away.
> A convenience is some do "useradd me disk" - but again, any crack of
> local account (even without password), now gives away all disks.
> Convenience vs security.
> So what to do?
> 1) delgroup me disk
> "Important" data such as keyfiles ought be stored with no "primary
> user account access", so group "disk" ought not be part of "primary
> user"'s groups.
> Are there any other groups that "really ought" be removed from the
> local primary user account?
> 2) Disable sudo and disable su
> su (as well as sudo) again has the problem of password capture if su
> or sudo is run from the primary user account after a sploit + trojan
> So, obviously, we need "clean" root logins, i.e.:
> - separate root account for admin/disk tasks
> - clean login, i.e. not via primary user account but using a clean
> "login" process outside any user account
> And so logically, the immediate test is as follows (does not work for
> me, gives me a .profile/.bashrc shell, not a login prompt):
> xterm -ls
> Note man xterm:
> This option indicates that the shell that is started in the xterm
> window will be a login shell (i.e., the first character of argv
> will be a dash, indicating to the shell that it should read the
> user's .login or .profile).
> The -ls flag and the loginShell resource are ignored if -e is also
> given, because xterm does not know how to make the shell start the
> given command after whatever it does when it is a login shell - the
> user's shell of choice need not be a Bourne shell after all. Also,
> xterm -e is supposed to provide a consistent functionality for other
> applications that need to start text-mode programs in a window, and
> if loginShell were not ignored, the result of ~/.profile might
> interfere with that.
> If you do want the effect of -ls and -e simultaneously, you may get
> away with something like
> xterm -e /bin/bash -l -c "my command here"
> Finally, -ls is not completely ignored, because xterm -ls -e does
> write a /var/log/wtmp entry (if configured to do so), whereas xterm
> -e does not.
> a) anyone know how to make xterm -ls give a 'clean' login prompt?
> b) is any presumption of a "clean" login prompt inside xterm, when
> launched from a primary account xterm session, a folly?
> c) is there any other option for root in X, which could be considered
> "resonably secure" in the face of a cracked local X using account?
> 3) Qubes.
> Isolate each activity into its own VM.
> Notwithstanding hardware/CPU level firetruckery (another problem
> which as grarpamp reminds us requires OpenFabs, OpenHW, OpenCPU etc),
> isolating each activity, especially public facing activity such as
> web browsing, appears to be a very reasonable proposition - this way
> a browser crack means root access in the browser's VM, and not
> automatically into the rest of the system (VM sploits