D12795: Re-allow running Dolphin as the root user (but still not using sudo)
Martin Flöser
noreply at phabricator.kde.org
Sun May 20 18:44:59 BST 2018
graesslin added inline comments.
INLINE COMMENTS
> ngraham wrote in main.cpp:47
> If you're *already* using a root session, what *additional* security is gained by preventing the use of the file manager? Couldn't malicious software own your terminal too?
>
> I know you're against root session use. I'm not in favor of it myself. But IMHO it's not our jobs as DE providers to make this decision for our users or their distros. This change has broken Kali, a popular KDE-using distro. openSUSE has already patched it out. Kali may eventually have to patch it out too, or switch to another DE. I assume that's not what we want...
>
> Ultimately Dolphin's maintainer should make the call, but I really think that this is a case where we shouldn't destroy a part of the user experience in the interests of security. We shouldn't take the lazy way out of just saying, "access blocked, too bad, my job is finished." That's not in line with the focus on Usability and Productivity that the KDE community has voted on. With this patch, I've tried to moderate the security check by re-allowing a use case that does not actually represent an additional security vulnerability, while preserving the original intention. I will let the Dolphin maintainers make the call in the end.
We also have a focus on security. Your change destroys part of a security improvement we did. Please don't argument with the focus on Usability as security is also a focus.
I give you something to think about for the usability aspect. Users harassed me because of this change, although I have not done it. This has happened several times. Do we want to crave for the small amount of users who go so far as to send hate mail to core KDE developers? I strongly suggest to not give in to such bullying behavior.
Yes insecure distributions like openSUSE decide to patch - and that's fine. That's their decision. We don't need to make their decision our default. Distributions can easily patch this. That's their job. They integrate our products with their product. If they think running dolphin as root is a valid usecase, they can patch.
REPOSITORY
R318 Dolphin
REVISION DETAIL
https://phabricator.kde.org/D12795
To: ngraham, markg, elvisangelaccio, #dolphin
Cc: cfeck, elvisangelaccio, mmustac, Fuchs, markg, graesslin, nicolasfella, zzag, kfm-devel, emmanuelp, spoorun, navarromorales, isidorov, firef, andrebarros
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.kde.org/mailman/private/kfm-devel/attachments/20180520/f8126e76/attachment.htm>
More information about the kfm-devel
mailing list