FreeBSD at keyslapper.net
Wed Feb 2 17:00:50 PST 2005
On 02/03/05 01:10 AM, Gert Cuykens sat at the `puter and typed:
> > I assume this refers to the root window. Surely you're not logged
> > into X as root.
> no i am just logged as a user into X and my user name is the same as
> root :) Lets call it the user root window.
> > Try this:
> > check your DISPLAY environment variable with
> > echo $DISPLAY
> > make sure it's ':0.0' or something similar, like <hostname>:0.0, then
> > run this:
> > /usr/X11R6/bin/xscreensaver -display $DISPLAY &
> > That should do what you're trying to do.
> > Lou
> > --
> I# /usr/X11R6/bin/xscreensaver -display $DISPLAY
> xscreensaver: 01:02:41: locking is disabled (running as nobody).
> xscreensaver: 01:02:41: locking only works when xscreensaver is launched
> by a normal, non-privileged user (e.g., not "root".)
> See the manual for details.
> man the xscreensaver thingie isnt kidding about it...
That's your whole problem. It is widely considered a Very Bad Thing
to log into X as root. Xscreensaver refuses to run there because it
calls external programs, which it gives free reign within it's access
limitations. If xscreensaver were running as root, these extermal
programs would therefore run as root, and should any of them be
written with certain malicious, or even just errant code, your secure
box could do anything from implode due to a bad disk access in the
boot sector, to hang it's kiester right out the internet for all to
see and poke and prod. And they WILL poke and prod.
xscreensaver is the only such program that comes to mind that tries to
protect you in this way, but think of all the other programs you run:
your wm, all those utilities, the calculator, and the list goes on.
Not all of these are part of the OS, most are "contrib" code, which
means they were written by people outside the official team for
whatever project you got it with. That doesn't mean it's not good
code, most of it is excellent at the very least, but it doesn't always
have the same rigorous testing cycle, and it is almost NEVER written
to run as root. And a process intended to run as root DOES get
I *VERY* strongly recommend you create a real user, call it gert or
cuykens, or the name of your box, or whatever you want and DON'T add
it to every group and give it admin privileges. Using root for
anything but administrative use or accessing restricted resources is a
huge security hole.
Louis LeBlanc FreeBSD-at-keyslapper-DOT-net
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
Key fingerprint = C5E7 4762 F071 CE3B ED51 4FB8 AF85 A2FE 80C8 D9A2
Filing almost everything under "the".
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20050202/e531d321/attachment.bin
More information about the freebsd-questions