Suggestion to Remove KFloppy and hold back K3b
wbauer at tmo.at
Wed Feb 22 19:18:16 UTC 2017
Am Dienstag, 21. Februar 2017, 18:55:00 schrieb Nicolás Alvarez:
> > On Feb 15, 2017, at 17:58, Wolfgang Bauer <wbauer at tmo.at> wrote:
> > Am Mittwoch, 15. Februar 2017, 22:21:19 schrieb Martin Gräßlin:
> >> Please do not consider starting a GUI application as root a possibility.
> > Ok, but partitionmanager does exactly that. It restarts itself as root if
> > run as user.
> > So that instantly would rule out partionmanager as a proposed replacement,
> > I suppose.
> > But KFloppy is quite a simple application.
> > There should not really be a special risk involved running it as root, but
> > I might be mistaken there.
> Sounds like you're challenging Martin to write a take-over-machine exploit
> via root KFloppy, and I would bet money that he would succeed ;)
No, I don't.
I just meant to say that the attack surface is smaller that for (certain)
You definitely cannot open a root konsole and run arbitrary commands as root
by just sending fake key presses to kfloppy... ;)
I already wrote that restarting the application as root was just one idea to
work around permission problems. (I even mentioned using kauth as option too
in my first mail, and that's what I'll try to implement...)
And to repeat: I already dropped that idea completely.
So I don't see a point in continuing the discussion about this here.
More information about the release-team