Suggestion to Remove KFloppy and hold back K3b

[Martin Gräßlin]

Am 2017-02-15 19:50, schrieb Wolfgang Bauer:
> On 11 February 2017 at 13:44, Jonathan Riddell <jr at jriddell.org> wrote:
>> I recommend KFloppy be removed from Applications releases.  It
>> couldn't find my floppy drive and when I hacked the code to tell it
>> where to look it depended on an external tool fdformat which didn't
>> work anyway.
> 
> KFloppy and fdformat work fine here in openSUSE, I do use it regularly 
> (with
> an internal floppy drive).
> 
> And as the current maintainer, I'd prefer to (try to) fix problems 
> instead of
> having it dropped.
> 
> I'm a bit surprised that in the test the floppy drive showed up as 
> /dev/sdc
> though, mine always have been and still are at /dev/fd0...
> I suppose that was an external one?
> Not sure how to fix that then, it supposedly can be a random 
> /dev/sdX...
> 
> There is a (somewhat "hidden") feature though to use any device you 
> want: just
> enter it into the text field (this is mentioned in the documentation, 
> it's a
> rather old feature already and intended to be able to format USB sticks 
> too,
> or other unpartitioned devices).
> It would definitely be possible to list all /dev/sdX devices in the 
> chooser
> too, but that may be dangerous and cause data loss without any further 
> check
> that it is really a floppy drive (or USB stick).
> I have to think about that one.
> 
> I am aware of one particular problem related to permissions though:
> Normally the device can only be accessed by members of the group "disk" 
> (or
> "floppy"), but modern distributions tend to not add users to these 
> groups any
> more.
> 
> You'd have to add the user to the appropriate group manually to make 
> KFloppy
> and fdformat work, or run KFloppy as root.
> Not great, I agree.
> 
> Actually I was thinking about this problem recently though.
> 
> The error message could definitely be improved.
> 
> And one "solution" would probably be to make KFloppy offer to restart 
> itself
> as root (if it detects insufficient permissions) like partitionmanager 
> does
> it.

Please do not consider starting a GUI application as root a possibility. 
Starting a root process which connects to X server means a possible 
instant owning! This is the easiest way to get a root exploit. I wrote 
one against dolphin running as root last year, you can find it in my 
scratch repo on git.kde.org

If users actually run KFloppy as root, please make sure that it is not 
possible! Please add a check prior (!) to the creation of 
Q(Gui)Application and terminate if it is run as root. It's important to 
do the check prior to creating Q(Gui)Application as the ctor performs 
the connection to XServer and afterwards it might be too late.

The only viable solution is using KAuth. If this doesn't work for 
KFloppy, then I would agree that for security reasons we need to declare 
it as eol.

I consider this as highly important! We need to get away from running 
GUI applications as root. It's insecure, it's dangerous and broken (yes, 
a root app has problems to connect to a user Display server, such as 
rootless-X11 or Wayland). We as a community need to stop recommending 
this. We need to make sure that applications which users might run as 
root just exit with a warning.

Cheers
Martin, the broken "you shall not run X11 apps as root"-record