[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Can't run apps as root in KDE

Hi,

I have to admit that for some desktop system with passwordless sudo
policy, you may not gain much security advantage by not using root,
since your user account is practically root in terms of security...

On Sat, Jul 02, 2011 at 08:40:31AM +0000, Camaleón wrote:
> On Sat, 02 Jul 2011 11:42:13 +0900, Osamu Aoki wrote:
> 
> > On Fri, Jul 01, 2011 at 12:07:25PM -0700, T Elcor wrote:
>  
> >> Am having problems running KDE apps as root. 
> 
> (...)
> 
> > I do not know about exact reason why but...
> > 
> > Generally, it is bad idea to run desktop application as root.  So
> > application system may put some checks and prevent you to run as root.
> > This is due to security concern.
> 
> There can be zillion of reasons to run an application as root so I hope 
> this options is still available.

There are reason to run some system configuration applications as root
but this does not require you to login as root to X via kdm/gdm/....

I do not think firefox is type of program requring root...

> It is also possible to run a full DE session under root, but that's 
> another story.
> 
> > Why do this?  I see no reason to overcome this security measure.
> 
> What security measure? Can you please expand that? 

If you get compromised for an user account, the attacker can not do bad
things beyond that account if it does not gain root.  If the attacker
gets to do thing as root, that is the worst thing you want to have.  

You never know remote site accessed by firefox may contain page contents
which tries to exploit security hole of firefox before they are fixed.

> Is there something at 
> kde that changed and users need to know? Since years I've been instructed 
> in running "kdesu" or "gksu" as the recommended way for doing it so, 

At least, Debian Reference says
http://www.debian.org/doc/manuals/debian-reference/ch07.en.html
(Yes, that's me.)

> what's wrong with this? Is there a new tool that supersedes it?

For system administration GUI packages, these are GUI frontend to invoke
them.  Nothing supersede them but there are other tools if you know how.

Googling "running desktop as root security" seems to indicate people
tends to do this for desktop. 
 http://www.micro-hard.dreamhosters.com/root_GUI_login/
This guy seems to be knowledgeable enough and doing this just for fun
while knowing its risks.  Maybe his old page may give you idea.

For me, I have no reason to use root_GUI_login since I can do everything
I need without it.  Every tiny bits count when it comes to security.

> > FYI:
> > If you are doing this for debug purpose, you can change user on console
> > using su or sudo under proper configuration done from root.  When
> > switching to root, you need to preserve environment to get connected to
> > X, as you might have known.
> 
> Running a X app after "su -" has been failing for some time, I'm afraid  
> this is not an option anymore.
> 
> stt008:~# firefox
> Error: no display specified

try "su -p ;firefox".  I wrote the above after double checking this works
now for firefox still :-) This is because values of the old user's
"$XAUTHORITY" and "$DISPLAY" environment variables must be copied to the
new user's ones.

Do not try to peek into unsafe URLs.

Anyway, please think twice before playing with fire.

Osamu
Reply to: