kio-admin in kdereview
Albert Astals Cid
aacid at kde.org
Sat Oct 15 20:29:02 BST 2022
El divendres, 14 d’octubre de 2022, a les 10:34:04 (CEST), Harald Sitter va
escriure:
> On Thu, Oct 13, 2022 at 10:32 PM Albert Astals Cid <aacid at kde.org> wrote:
> > El dijous, 13 d’octubre de 2022, a les 1:03:53 (CEST), Harald Sitter va
> >
> > escriure:
> > > On Thu, Oct 13, 2022 at 12:46 AM Albert Astals Cid <aacid at kde.org>
wrote:
> > > > Did I misunderstood the code? It looks like this run all of kio with
> > > > root
> > > > powers?
> > >
> > > That is correct
> >
> > That feels like a reasonably big no no with my security hat.
> >
> > I'm relatively sure we have not audited all of KIO and it's dependencies
> > to be "running as root"-safe.
>
> It is scary to be sure, but then the user has to opt into shooting in the
> foot.
How much of that opt in message mentions potential security issues?
> > What's the use case of this against the kauth support in file_unix.cpp ?
>
> The latter doesn't exist :(
There is a great deal of code that does auth stuff, it's just preceded by a
// temporarily disable privilege execution
Does anyone know what's the deal with that?
Because if the code is good we should enable it, and if the code is bad we
should probably rip it off?
Cheers,
Albert
>
> HS
More information about the kde-core-devel
mailing list