Re: Can't run apps as root in KDE



Hi,

I have to admit that for some desktop system with passwordless sudo
policy, you may not gain much security advantage by not using root,
since your user account is practically root in terms of security...

On Sat, Jul 02, 2011 at 08:40:31AM +0000, Camaleón wrote:
On Sat, 02 Jul 2011 11:42:13 +0900, Osamu Aoki wrote:

On Fri, Jul 01, 2011 at 12:07:25PM -0700, T Elcor wrote:

Am having problems running KDE apps as root.

(...)

I do not know about exact reason why but...

Generally, it is bad idea to run desktop application as root. So
application system may put some checks and prevent you to run as root.
This is due to security concern.

There can be zillion of reasons to run an application as root so I hope
this options is still available.

There are reason to run some system configuration applications as root
but this does not require you to login as root to X via kdm/gdm/....

I do not think firefox is type of program requring root...

It is also possible to run a full DE session under root, but that's
another story.

Why do this? I see no reason to overcome this security measure.

What security measure? Can you please expand that?

If you get compromised for an user account, the attacker can not do bad
things beyond that account if it does not gain root. If the attacker
gets to do thing as root, that is the worst thing you want to have.

You never know remote site accessed by firefox may contain page contents
which tries to exploit security hole of firefox before they are fixed.

Is there something at
kde that changed and users need to know? Since years I've been instructed
in running "kdesu" or "gksu" as the recommended way for doing it so,

At least, Debian Reference says
http://www.debian.org/doc/manuals/debian-reference/ch07.en.html
(Yes, that's me.)

what's wrong with this? Is there a new tool that supersedes it?

For system administration GUI packages, these are GUI frontend to invoke
them. Nothing supersede them but there are other tools if you know how.

Googling "running desktop as root security" seems to indicate people
tends to do this for desktop.
http://www.micro-hard.dreamhosters.com/root_GUI_login/
This guy seems to be knowledgeable enough and doing this just for fun
while knowing its risks. Maybe his old page may give you idea.

For me, I have no reason to use root_GUI_login since I can do everything
I need without it. Every tiny bits count when it comes to security.

FYI:
If you are doing this for debug purpose, you can change user on console
using su or sudo under proper configuration done from root. When
switching to root, you need to preserve environment to get connected to
X, as you might have known.

Running a X app after "su -" has been failing for some time, I'm afraid
this is not an option anymore.

stt008:~# firefox
Error: no display specified

try "su -p ;firefox". I wrote the above after double checking this works
now for firefox still :-) This is because values of the old user's
"$XAUTHORITY" and "$DISPLAY" environment variables must be copied to the
new user's ones.

Do not try to peek into unsafe URLs.

Anyway, please think twice before playing with fire.

Osamu


--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx
Archive: http://lists.debian.org/20110702095711.GA5079@xxxxxxxxxx



Relevant Pages

  • RE: Linux hacked
    ... Subject: Linux hacked ... After you boot up into the OS running from CD, ... >> First let me say I'm a security novice. ... >> been unsuccessful in getting root back. ...
    (Security-Basics)
  • Re: Screensaver takes too much time to fade-out...
    ... If you are serious about making your machine secure, ... learn a thing or two about security. ... These logs are mailed to the root user at 3am. ... Setup dovecot and use a local email client to fetch it. ...
    (Fedora)
  • Re: Linux hacked
    ... is to boot your system with a separate ... You can't trust the logs, ... >> First let me say I'm a security novice. ... >> been unsuccessful in getting root back. ...
    (Security-Basics)
  • Re: Is my system secure? What else should I do?
    ... As with any security, it must be a balance between secure and useability. ... remain on the root partition to be used on boot up and you don't want to ... > Security applet in the Mandrake Control Center and disable root login ... LiveCD and gain FULL access to your system that way. ...
    (comp.os.linux.security)
  • RE: Linux hacked
    ... Also, what exactly did the history file show, can you paste it into a mail ... > First let me say I'm a security novice. ... > been unsuccessful in getting root back. ... > via ssh but you could su in once logged in as one of three users. ...
    (Security-Basics)