[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde
Subject:    Re: When wayland spreads it looks like no more running gui's as root.
From:       John <john_82 () tiscali ! co ! uk>
Date:       2017-05-07 19:18:57
Message-ID: 20170501130913.4fd7f451 () dhcppc1
[Download RAW message or body]

On Tue, 18 Apr 2017 02:08:37 +0200
René J.V. Bertin <rjvbertin@gmail.com> wrote:

> On Tuesday April 18 2017 00:07:00 John wrote:
> 
> > https://forums.opensuse.org/showthread.php/524150-Executing-Dolphin-as-root-is-not-possible
> >  
> > I was too annoyed to read all of it. The title sums it up.  
> 
> If the title sums it up then it must be simple enough to get around it - just patch \
> out Dolphin's check for running as root. Or put pressure on your distro maintainers \
> to do that. 
> R.
It looks like I will be getting a few (?) more years of using things the way that \
they currently work.

@Duncan Yes wayland has nothing to do with it. Sorry about that. I missed a post that \
mentioned the real cause of the problems. I must have cross posted. Your comment \
about kde changes that may be coming influenced me too.

It's all down to X where rights are inherited so if some one browses as root and then \
right clicks to edit another application opens with the same rights. Some one wrote \
something that ran unobserved, spotted that this was going on and could as a result \
get root privileges. Sounds like malware to me.

;-) Anyway some of the comments in the post got me going - usual things. A single \
click can cause a lot of damage. Desktop software communicates with each other - \
makes me wonder how some people think software works. I've also seen comments about \
how broad a desktop interface is so impossible to make it secure. Most hacking is \
done via applications connected to a network. Even scripts in yahoo's case.

The person who patched the latest dolphin also mentioned a fix involving sudo's. As I \
am a software person I sort of gasped but not a pc one unfortunately. If currently \
some one browses files as a user, clicks and edits they find that they can't save. It \
should be possible to intercept that and offer the chance to enter a root password. \
If then the changes are passed to a true root process to do the update nothing is \
inherited. The same thing could be done with desktop system tools that usually \
collect what changes are needed before actually doing anything. :-( sounds a bit ms \
windows like. They do that sort of thing when software is changed. Of late they may \
just ask if the change is ok - expected in other words. This must mean some pretty \
low level intercepts to spot that the change is about to happen. Not totally malware \
proof but probably helps.

Sounds like it may be bad news for desktop consoles if they can be intercepted. They \
probably can be. A problem because many processes can only be viewed as root.

The links to the details are in the forum post I linked to, fairly late on.

John
-


[prev in list] [next in list] [prev in thread] [next in thread]