Web lists-archives.com

Re: When wayland spreads it looks like no more running gui's as root.




On Tue, 18 Apr 2017 02:08:37 +0200
René J.V. Bertin <rjvbertin@xxxxxxxxx> wrote:

> On Tuesday April 18 2017 00:07:00 John wrote:
> 
> >  https://forums.opensuse.org/showthread.php/524150-Executing-Dolphin-as-root-is-not-possible
> > 
> > I was too annoyed to read all of it. The title sums it up.  
> 
> If the title sums it up then it must be simple enough to get around it - just patch out Dolphin's check for running as root. Or put pressure on your distro maintainers to do that.
> 
> R.
It looks like I will be getting a few (?) more years of using things the way that they currently work.

@Duncan Yes wayland has nothing to do with it. Sorry about that. I missed a post that mentioned the real cause of the problems. I must have cross posted. Your comment about kde changes that may be coming influenced me too.

It's all down to X where rights are inherited so if some one browses as root and then right clicks to edit another application opens with the same rights. Some one wrote something that ran unobserved, spotted that this was going on and could as a result get root privileges. Sounds like malware to me.

;-) Anyway some of the comments in the post got me going - usual things. A single click can cause a lot of damage. Desktop software communicates with each other - makes me wonder how some people think software works. I've also seen comments about how broad a desktop interface is so impossible to make it secure. Most hacking is done via applications connected to a network. Even scripts in yahoo's case.

The person who patched the latest dolphin also mentioned a fix involving sudo's. As I am a software person I sort of gasped but not a pc one unfortunately. If currently some one browses files as a user, clicks and edits they find that they can't save. It should be possible to intercept that and offer the chance to enter a root password. If then the changes are passed to a true root process to do the update nothing is inherited. The same thing could be done with desktop system tools that usually collect what changes are needed before actually doing anything. :-( sounds a bit ms windows like. They do that sort of thing when software is changed. Of late they may just ask if the change is ok - expected in other words. This must mean some pretty low level intercepts to spot that the change is about to happen. Not totally malware proof but probably helps.

Sounds like it may be bad news for desktop consoles if they can be intercepted. They probably can be. A problem because many processes can only be viewed as root.

The links to the details are in the forum post I linked to, fairly late on.

John
-