[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Can't run apps as root in KDE

On Sat, 02 Jul 2011 18:57:11 +0900, Osamu Aoki wrote:

> I have to admit that for some desktop system with passwordless sudo
> policy, you may not gain much security advantage by not using root,
> since your user account is practically root in terms of security...


> On Sat, Jul 02, 2011 at 08:40:31AM +0000, Camaleón wrote:

>> > Generally, it is bad idea to run desktop application as root.  So
>> > application system may put some checks and prevent you to run as
>> > root. This is due to security concern.
>> There can be zillion of reasons to run an application as root so I hope
>> this options is still available.
> There are reason to run some system configuration applications as root
> but this does not require you to login as root to X via kdm/gdm/....

No one said nothing about "login" as root but "running" an app as root.

> I do not think firefox is type of program requring root...

I only have 2 users in my debian box: me and root.

When I need to test if there is a configuration issue with the browser 
(or my Gnome profile), I launch it as root because it has an almost empty 
firefox profile.

And it is also understandable that new users prefer to edit some files 
with Kwrite or Gedit instead by using another command line tools, though 
not a perfect way to make things. New users will learn this in their way 
to linux...

>> > Why do this?  I see no reason to overcome this security measure.
>> What security measure? Can you please expand that?
> If you get compromised for an user account, the attacker can not do bad
> things beyond that account if it does not gain root.  If the attacker
> gets to do thing as root, that is the worst thing you want to have.
> You never know remote site accessed by firefox may contain page contents
> which tries to exploit security hole of firefox before they are fixed.

I understand that, but I'm afraid we are not taking here about login into 
DE as root users but launching one application as root.
>> Is there something at
>> kde that changed and users need to know? Since years I've been
>> instructed in running "kdesu" or "gksu" as the recommended way for
>> doing it so,
> At least, Debian Reference says
> http://www.debian.org/doc/manuals/debian-reference/ch07.en.html (Yes,
> that's me.)

Should I need to focus in any specific section? Or to put it simple, is 
kdesu/gksu not recommended anymore? In such case, what is now the 
recommended way for launching a X application as root? Or is that there 
is no way?

>> what's wrong with this? Is there a new tool that supersedes it?
> For system administration GUI packages, these are GUI frontend to invoke
> them.  Nothing supersede them but there are other tools if you know how.

Ah, that sounds better :-)
> Googling "running desktop as root security" seems to indicate people
> tends to do this for desktop.
>  http://www.micro-hard.dreamhosters.com/root_GUI_login/
> This guy seems to be knowledgeable enough and doing this just for fun
> while knowing its risks.  Maybe his old page may give you idea.

I will never recommend running a full KDE session as root user. But 
again, I think this is not the case we are talking about, unless I have 
understood it in the wrong way.
> For me, I have no reason to use root_GUI_login since I can do everything
> I need without it.  Every tiny bits count when it comes to security.

Roor login or launching an app as root?

>> > FYI:
>> > If you are doing this for debug purpose, you can change user on
>> > console using su or sudo under proper configuration done from root. 
>> > When switching to root, you need to preserve environment to get
>> > connected to X, as you might have known.
>> Running a X app after "su -" has been failing for some time, I'm afraid
>> this is not an option anymore.
>> stt008:~# firefox
>> Error: no display specified
> try "su -p ;firefox".  

It happens nothing in my lenny (I become root, but firefox is not 
launched). Maybe "su -p" and then run "firefox" but it keeps my user's 
setting that is not what I would need. I need root's ones.

> I wrote the above after double checking this works now for firefox
> still :-) This is because values of the old user's "$XAUTHORITY" and
> "$DISPLAY" environment variables must be copied to the new user's ones.

Yes, but running in that way does not help for several cases.
> Do not try to peek into unsafe URLs.

It's just for testing! Nobody will browse the web every day from a root's 
> Anyway, please think twice before playing with fire.

We need to play with fire... sometimes :-)



Reply to: