undefined | Better HN

0 pointskoolba9y ago0 comments

> Anyway, Apps that asks for root password on installation always makes me cringe, e.g. they could turn on SSH and put a pubkey into authorized_keys, or they could upload SSH identity files. But I still proceed to enter my password.

You don't need root to do any of those things. If you're going to run the SSH server on port 22, sure, but it can be run on any port above 1024 by a regular user in user space.

If you're already running an SSH server, a non-root app can most likely edit your ~/.ssh/authorized_key file. It's just a regular file, nothing special about a malicious app adding an entry to it.

Think a NAT is going to save you? A malicious program can SSH out and create a reverse tunnel to circumvent it.

Short answer: running anything you don't know or trust is dangerous, root access just makes it more dangerous.

0 comments

3 comments · 1 top-level

niij9y ago· 2 in thread

>If you're already running an SSH server, a non-root app can most likely edit your ~/.ssh/authorized_key file. It's just a regular file, nothing special about a malicious app adding an entry to it.

That file is -rw-r--r--, so only the owner or root can change it, unless I am misunderstanding you?

sbarre9y ago

That app is running as you, so it is the owner of the file at that point.

niij9y ago

You're absolutely right.

j / k navigate · click thread line to collapse