Installa Steam
Accedi
|
Lingua
简体中文 (cinese semplificato)
繁體中文 (cinese tradizionale)
日本語 (giapponese)
한국어 (coreano)
ไทย (tailandese)
Български (bulgaro)
Čeština (ceco)
Dansk (danese)
Deutsch (tedesco)
English (inglese)
Español - España (spagnolo - Spagna)
Español - Latinoamérica (spagnolo dell'America Latina)
Ελληνικά (greco)
Français (francese)
Indonesiano
Magyar (ungherese)
Nederlands (olandese)
Norsk (norvegese)
Polski (polacco)
Português (portoghese - Portogallo)
Português - Brasil (portoghese brasiliano)
Română (rumeno)
Русский (russo)
Suomi (finlandese)
Svenska (svedese)
Türkçe (turco)
Tiếng Việt (vietnamita)
Українська (ucraino)
Segnala un problema nella traduzione
The package installer will execute the Steam install script in the package with those root privileges. So yes, the normal installation procedure DOES give root access to Steam.
The fact that you can run it without root afterwards is useless to the security of your system. Once you have run untrustworthy software as root, it can keep the root access and hide itself from you. Once root, always root.
And as it is closed source software, it is per definition not trustworthy. Thats the primary difference between open and closed source software.
That's rather stupid and needlessly paranoid. Steam (the binary) cannot elevate to root if you run it as a user unless it executes something that's SUID and owned by root. Whether or not it is closed source. If it could, that would mean it can do it on the other account you just created just for Steam — and it would also mean that the Linux user separation is entirely worthless and insecure.
I do understand some of the concern about the installer of course, but the final expanded program, nope.
Is there a :rolleyes: emoticon around here somewhere?
The deb package of Steam contains a program.
This programs is run as root once you install the package.
As this program has root access, it theoretically can do ANYTHING to your system, INCLUDING installing programs which have PERMANENT root access and are run automatically when ever you start your system. You don't need to give root access to them after that, the install script can just configure the system to automatically run them as root.
Again: Once you run an untrustworthy software as root, your system is compromised. Anything which happens in the system after that CANNOT be trusted anymore. The fact that you are not asked for root privileges after the compromise does NOT mean that the system is not compromised. Of course a compromised system will not ask you to give permissions to malicious software anymore.
This assumption is one of the reasons why you can actually benefit from people writing open source software. Be thankful instead of rolling your eyes.
• To write to system directories that regular users do not have access to, eg. the /usr tree, the /usr/local tree, or the /opt tree.
• To write information into the Dpkg package cache files so the system knows your program has been installed.
There’s exactly nothing suspicious about this.
There's no such thing as “programs with permanent root access”, because if there were, that would mean there's a security hole inside Linux. Linux is not perfect, of course, so there could be, of course. All the programs, unless SUID, run as the user running them. They cannot elevate unless your user can elevate — either via a bug (as before, that’s an issue you should raise with Kernel developers) or via legit ways such as su or sudo. You can take a look at the result of the .deb package installation (it is possible to specify a different root for dpkg-deb to unpack to, and you can chroot and jail the installation), and if you see something SUID, you can raise the flags. Until then, it's just hot steam from paranoia.
And also, if you don't know your system enough to see whether the install script has “configured the system to automatically run them as root”, you shouldn't be talking about keeping things “secure”.
But hey, I do understand where you’re coming from, I happened to have studied IT security. That whole area is based on paranoia — and that’s what drives it to make things even better and even more secure. I’m totally cool with that, and I’m glad we have things like PGP and SSL and the likes, thanks to security folks. However, if you’re security-concerned, you don’t actually want any closed sourced software (or open sourced, but not thoroughly peer-reviewed software) near a computer that you consider to be trusted and you want to keep secure.
Because... with closed source software you have a much, much bigger issue than root elevation — it leaking data to the creator without your consent. Just tell me how it can’t do that without root elevation, because I think it’s more than possible to see quite a few things on your computer without being an administrator user.
By all means, please stop speaking for every Linux user :)