Web lists-archives.com

Re: Suggestion to Remove KFloppy and hold back K3b




Am Dienstag, 21. Februar 2017, 18:55:00 schrieb Nicolás Alvarez:
> > On Feb 15, 2017, at 17:58, Wolfgang Bauer <wbauer@xxxxxx> wrote:
> > 
> > Am Mittwoch, 15. Februar 2017, 22:21:19 schrieb Martin Gräßlin:
> >> Please do not consider starting a GUI application as root a possibility.
> > 
> > Ok, but partitionmanager does exactly that. It restarts itself as root if
> > run as user.
> > So that instantly would rule out partionmanager as a proposed replacement,
> > I suppose.
> > 
> > But KFloppy is quite a simple application.
> > There should not really be a special risk involved running it as root, but
> > I might be mistaken there.
> 
> Sounds like you're challenging Martin to write a take-over-machine exploit
> via root KFloppy, and I would bet money that he would succeed ;)

No, I don't.

I just meant to say that the attack surface is smaller that for (certain) 
other applications.
You definitely cannot open a root konsole and run arbitrary commands as root 
by just sending fake key presses to kfloppy... ;)

But please.
I already wrote that restarting the application as root was just one idea to 
work around permission problems. (I even mentioned using kauth as option too 
in my first mail, and that's what I'll try to implement...)
And to repeat: I already dropped that idea completely.

So I don't see a point in continuing the discussion about this here.

Kind Regards,
Wolfgang