D12732: Implement a more user-friendly run-as-root-or-sudo behavior

Elvis Angelaccio noreply at phabricator.kde.org
Tue May 8 21:54:51 BST 2018 

elvisangelaccio added a comment.


  In D12732#259335 <https://phabricator.kde.org/D12732#259335>, @ngraham wrote:
  
  > Please read the arguments I made above. All of those concerns are addressed. I'll repeat them:
  >
  > 1. It is inappropriate for an app to refuse to run on top of an insecure environment. The problem should be fixed at the level of the insecure environment. Did anybody ever submit an X11 patch? We don't hack around problems, we fix them.
  
  
  You cannot fix X11. That's why people are working on Wayland.
  
  > 2. There needs to be a distinction made between running dolphin using sudo (you've now vulnerable to the exploit) and running as the root user (your whole user session was already vulnerable since you're running all GUI software as root anyway). It doesn't make sense to "secure" dolphin in a root session that is already inherently insecure.
  
  This I can agree with. But that's not what this patch is doing ;) 
  (this patch brings back  the vulnerability also to non-root sessions).
  
  > 3. It is illogical to damage the user experience in the name of security; we fail at the goal of securing the user if the user becomes unable to use our software in the first place (e.g. for the Kali distro). If you lose your house key, you don't barricade the door so that nobody can go in or out until the locksmith comes. It is user-hostile, inappropriate, and illogical to remove a feature before its replacement is ready.
  
  Finding the right trade-off between security and usability is a hard problem, yes. Note that running Dolphin as root is not a "feature". It's just something that happened to be possible but it has all sort of problems and it's never been supported by design.
  
  > Our users are not children. Most of them are professionals or enthusiasts. Let's treat them like adults and provide a warning, but ultimately let them make their own decision. Once PolKit support is finally available to the public, we can revisit the issue  of how best to wean users off doing `sudo dolphin` in a humane, user-friendly manner. Until then, I believe that the only professional course of action is to re-add the missing feature, despite its known security vulnerability. If the vulnerability is really so severe as to have warranted the drastic action originally taken here, someone should submit an X11 patch ASAP.
  
  See answers above.
  
  In D12732#259357 <https://phabricator.kde.org/D12732#259357>, @ngraham wrote:
  
  > For a root GUI session, there is no extra vulnerability beyond what you're already vulnerable to by running a root GUI session, right? Does anybody have a reasonable argument to make against at least reverting this for the root GUI session use case?
  
  
  I'd be ok if we revert the change only for the Kali use case (by checking the env variables). Note that POSIX doesn't say that the user with UID 0 must have `root` as name, but we can probably live assuming that no-one is going to rename their `root` user ;)
  
  In D12732#259518 <https://phabricator.kde.org/D12732#259518>, @markg wrote:
  
  > I am slightly surprised that this "feature" (not being able to run dolphin as root) even got in. It's a killer feature (in the negative sense). I sometimes need to run my GUI as root just because there is no user environment setup yet or when the GUI KDE session is somehow broken. Then i tend to start openbox as root and use dolphin as file management. I haven't had to do this in a while though.
  >  It all seems to have been triggered by: https://marc.info/?l=kwrite-devel&m=145192458018333&w=2
  >  And then pushed (outside of phabricator, **why**) by @emmanuelp in this commit: https://cgit.kde.org/dolphin.git/commit/src/main.cpp?id=0bdd8e0b0516555c6233fdc7901e9b417cf89791
  
  
  The change was reviewed in D4634 <https://phabricator.kde.org/D4634>, Emmanuel just synced Dolphin with Kate.
  
  > So what is the real bug.. Well, this quote describes it:
  > 
  >> Now I sat down and implemented the attached exploit. The key idea is to use an 
  >>  embedded konsole window in a root owned process and send it key events. See 
  >>  the attached README as well.
  > 
  > That is from the before mentioned link on marc.info.
  > 
  > Why is that an exploit again? You are root to gain root... **you are root already!**
  >  I don't see why that is a bug.
  
  It's not dolphin that is gaining root. **Any non-root process** can trivially gain root access if there is a dolphin or kate or konsole window running as root.

REPOSITORY
  R318 Dolphin

REVISION DETAIL
  https://phabricator.kde.org/D12732

To: ngraham, #dolphin, graesslin
Cc: emmanuelp, zzag, nicolasfella, elvisangelaccio, Fuchs, mmustac, markg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.kde.org/mailman/private/kfm-devel/attachments/20180508/a83b9039/attachment.htm>

More information about the kfm-devel mailing list