Zsh Mailing List Archive
Messages sorted by:
Reverse Date,
Date,
Thread,
Author
(OT?) Re: Zsh configuration files
- X-seq: zsh-users 13487
- From: "Benjamin R. Haskell" <zsh@xxxxxxxxxx>
- To: Zsh Users <zsh-users@xxxxxxxxxx>
- Subject: (OT?) Re: Zsh configuration files
- Date: Tue, 25 Nov 2008 13:26:11 -0500 (EST)
- In-reply-to: <b2e43f8f0811250910l7828242bnf3c8e137756b2f16@xxxxxxxxxxxxxx>
- Mailing-list: contact zsh-users-help@xxxxxxxxxx; run by ezmlm
- References: <ggbjfl$der$1@xxxxxxxxxxxxx> <2d460de70811230730v1a79f3b3rd73a020f99b66f02@xxxxxxxxxxxxxx> <ggcv5t$a88$1@xxxxxxxxxxxxx> <alpine.LNX.2.00.0811241643240.20698@xxxxxxxxxxxxxxx> <b2e43f8f0811250910l7828242bnf3c8e137756b2f16@xxxxxxxxxxxxxx>
On Tue, 25 Nov 2008, Allan Caffee wrote:
On Mon, Nov 24, 2008 at 5:33 PM, Benjamin R. Haskell <zsh@xxxxxxxxxx> wrote:
Long ago, I set some things up for easily sharing my Zsh startup
scripts between various computers I use. I did most of this when I was
still fairly new to Zsh, so some things might have easier/better ways
to do them, but this is how I set mine up. Some features:
1. Automatically runs any files matching .zsh_* in my home dir,
excluding vim swap files
2. For running as root, I can just link my normal-user .zshrc and
.zshenv files, and it'll detect that they're linked, and use the .zsh_*
files from my normal-user directory
That sounds really dangerous. You're offering a hook for someone to
execute arbitrary code as root. If someone breaks your user account
they could for example add a file in your home directory that resets the
root password or does some other really mean things. If you want root
to have the same setup as your regular user you should put it somewhere
that only root can write.
I was thinking about that as I posted to the list, and since you pointed
it out, maybe I'll get some general feedback... (sorry if this is too
off-topic)
Like many users (I suspect), most of the systems I'm talking about here
are essentially single-user systems. I log in under a normal user account,
but the only reason not to log in as root is 'rm -rf /' protection. (i.e.
so as to not cause unintentional damage.) On other systems, either:
1) I don't have root access, so this doesn't apply
2) The systems are properly secured (running/behind a firewall,
non-essential services are off, passwords are strong, system is kept
up-to-date, and I only ever log in to my normal account via SSH with keys)
[modulo, of course, this discussion]
Am I really setting myself up for badness via this automated .zsh_* stuff?
And even beyond those reasons... I always got the impression that someone
capable of using exploit X to break into a normal user's account had a
pretty low barrier to using exploit Y to elevate their privileges to root.
Is that not generally the case? [i.e. a system is only secure as its least
secure user]
Best,
Ben
Messages sorted by:
Reverse Date,
Date,
Thread,
Author