D12732: Implement a more user-friendly run-as-root-or-sudo behavior

Nathaniel Graham noreply at phabricator.kde.org
Mon May 7 20:54:56 BST 2018 

ngraham added a comment.


  In D12732#259309 <https://phabricator.kde.org/D12732#259309>, @elvisangelaccio wrote:
  
  > I don't think this is a good idea. There is a reason we have that check there, and it must be the very first thing done in `main()`. Showing a fancy warning message in the dolphin view would be too late (see Martin's exploit <https://cgit.kde.org/scratch/graesslin/exploit-dophin-root-x11.git/tree/exploit.cpp>).
  >
  > I know the current situation is not ideal (given that kio is not polkit-ready yet - we are almost there though!). But we shouldn't leave the door open to a clear vulnerability that could affect every dolphin user.
  
  
  Please read the arguments I made above. All of those concerns are addressed. I'll repeat them:
  
  1. It is inappropriate for an app to refuse to run on top of an insecure environment. The problem should be fixed at the level of the insecure environment. Did anybody ever submit an X11 patch? We don't hack around problems, we fix them.
  
  2. There needs to be a distinction made between running dolphin using sudo (you've now vulnerable to the exploit) and running as the root user (your whole user session was already vulnerable since you're running all GUI software as root anyway). It doesn't make sense to "secure" dolphin in a root session that is already inherently insecure.
  
  3. It is illogical to damage the user experience in the name of security; we fail at the goal of securing the user if the user becomes unable to use our software in the first place (e.g. for the Kali distro). If you lose your house key, you don't barricade the door so that nobody can go in or out until the locksmith comes. It is user-hostile, inappropriate, and illogical to remove a feature before its replacement is ready.
  
  Our users are not children. Most of them are professionals or enthusiasts. Let's treat them like adults and provide a warning, but ultimately let them make their own decision. Once PolKit support is finally available to the public, we can revisit the issue  of how best to wean users off doing `sudo dolphin` in a humane, user-friendly manner. Until then, I believe that the only professional course of action is to re-add the missing feature, despite its known security vulnerability. If the vulnerability is really so severe as to have warranted the drastic action originally taken here, someone should submit an X11 patch ASAP.

REPOSITORY
  R318 Dolphin

REVISION DETAIL
  https://phabricator.kde.org/D12732

To: ngraham, #dolphin, graesslin
Cc: elvisangelaccio, Fuchs, mmustac, markg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.kde.org/mailman/private/kfm-devel/attachments/20180507/365b905b/attachment.htm>

More information about the kfm-devel mailing list