i am a years user of ubuntu and an hours user of CNR from China, and my question is why CNR do not call me for a root password when i installing a player (banshee) with it ?
yet, it run well. but safe so?
2.Re: why CNR don't need a su password running on ubuntu? Dec 5, 2007 3:02 PM
The setuid bit is turned on so that the CNR client runs as affectively root. This is done so that any user can install/unisntall/update software on a machine. We thought these activities are useful enough to warrant the use of setuid.
To quote the setuid folks, "In some cases these privileges are insufficient to do useful things, for example if the user had the ability to write to the /etc/passwd file they could alter or remove all users passwords - but without access to it they cannot change their own password!"
4.Re: why CNR don't need a su password running on ubuntu? Dec 8, 2007 7:10 AM
in response to: -
I really think that there should be an option to prevent the CNR client from running as root. I am a stickler for security and control and really do not want applications running as root unless I specify.
6.Re: why CNR don't need a su password running on ubuntu? Dec 11, 2007 11:38 AM
in response to: -
The CNR Client does not actually run as root. It starts as root, but immediately drops privilages down to the user that started the client. For nearly all of the client's operation in runs as a normal user application. It is only when it needs to do something where it must be root like running dpkg -i <package> that it elevates it's privilages. And of course once the root action is done it removes privilages again. Although it is not as safe as a user application this is much safer than an application that really runs as root.
