[Wayland-bugs] [Bug 772875] [wayland] can't run application as root using sudo

2016-10-18 Thread gtk+
https://bugzilla.gnome.org/show_bug.cgi?id=772875

--- Comment #5 from Emmanuele Bassi (:ebassi)  ---
(In reply to taijian from comment #4)
> I am sorry, but I do take issue with the stance that: "There is no reason
> whatsoever to run a GUI application as root". What you mean to say is that
> YOU PERSONALLY can not think of an instance where the benefit of doing so
> will outweigh the downsides, as you perceive them, of doing so.

Speaking as the developer of a GUI toolkit, and as an application developer,
no: there are no *real*, substantiated, technological reasons why anybody
should run a GUI application as root. By running GUI applications as an admin
user you're literally running millions of lines of code that have not been
audited properly to run under elevated privileges; you're also running code
that will touch files inside your $HOME and may change their ownership on the
file system; connect, via IPC, to even more running code, etc.

You're opening up a massive, gaping security hole — likely because application
developers were too lazy to properly do separation between the code that
creates and manages the GUI bits, and the code that executes the privileged
operations.

> To say that
> there definitely is no reason, and that there can never BE any reson

It's software: *everything* is possible.

It's possible that, at some point down the line, all the code on your OS will
be auditable *and* audited, and it's going to be safe to trust every
application, library, service, and kernel module, including all the potential
interactions between all these components. It's possible, but *incredibly*
unlikely.

Additionally, this is not the direction things are going; applications are
untrusted by default, because they may come from anywhere and signing them with
a GPG key does not make automatically trustworthy; and, as such, GUI
applications are getting sandboxed — at various levels: file system, network,
display server, etc.

> to see things differently, is the exact same mindset of engineered arrogance
> that drove me away from Microsoft Windows. 

To see things differently from your position is just the result of actually
having to write the OS that you're using.

> Suppose, just for the moment, that I would like to run GParted. That is a
> GUI application that kinda benefits from being run as root.

No, it really doesn't.

The GUI part should be running as your user, and it should defer the privileged
operations to an auditable, self-contained, *minimal* piece of code that gets
executed after doing a privilege escalation, and gets dropped when not needed.

This is how applications that interact with any privileged operation, such as
interacting with hardware or with system services, should be written.

> Of course, there
> is no NEED, as such, to use this particular application. I could just use
> parted from the CLI. But, just suppose, that I would rather like to do some
> things in a GUI. And just suppose, for a moment, that there are other people
> out there, who, like me, would like to continue to use Linux, but with a
> functional GUI, that lets us do things we are not allowed to do in Windows,
> because they are dangerous. 

That has nothing to do with Windows.

Modern Windows API and applications use sandboxing, localised privilege
escalation, and separation of logic from UI.

Linux applications don't, because they were written for a platform that did not
have any of these things, and assumed that the users were capable of just
fixing a hosed system. This is not true any more, if it ever was true.

> Linux lets me do stuff like 'sudo rm -rf /*'.

Which is not a GUI application, it's self-contained, does not call random
services via IPC, and it's easily auditable.

> Yet I manage. So don't try to
> patronize everyone by telling them they can't run GUI applications as root
> 'because it is dangerous'.

It's not "because it's dangerous"; that's a straw man that you built yourself
out of your entitlement and lack of understanding, and are now having fun
dismantling. It's also something I did not say.

GUI applications should not run as root because it's *insecure*. Because it's
irresponsible towards users and their data. And, lastly, because it's simply
not necessary, given the technological context in which applications are
written.

> Unless you WANT to make people use X. Because
> this is how you make people use X.

X was written with a security and threat model that is simply irresponsible to
use in 2016.

-- 
You are receiving this mail because:
You are on the CC list for the bug.___
wayland-bugs mailing list
wayland-bugs@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/wayland-bugs


[Wayland-bugs] [Bug 772875] [wayland] can't run application as root using sudo

2016-10-18 Thread gtk+
https://bugzilla.gnome.org/show_bug.cgi?id=772875

taij...@posteo.de changed:

   What|Removed |Added

 CC||taij...@posteo.de

--- Comment #4 from taij...@posteo.de ---
I am sorry, but I do take issue with the stance that: "There is no reason
whatsoever to run a GUI application as root". What you mean to say is that YOU
PERSONALLY can not think of an instance where the benefit of doing so will
outweigh the downsides, as you perceive them, of doing so. To say that there
definitely is no reason, and that there can never BE any reson, to see things
differently, is the exact same mindset of engineered arrogance that drove me
away from Microsoft Windows. 

Suppose, just for the moment, that I would like to run GParted. That is a GUI
application that kinda benefits from being run as root. Of course, there is no
NEED, as such, to use this particular application. I could just use parted from
the CLI. But, just suppose, that I would rather like to do some things in a
GUI. And just suppose, for a moment, that there are other people out there,
who, like me, would like to continue to use Linux, but with a functional GUI,
that lets us do things we are not allowed to do in Windows, because they are
dangerous. 

Linux lets me do stuff like 'sudo rm -rf /*'. Yet I manage. So don't try to
patronize everyone by telling them they can't run GUI applications as root
'because it is dangerous'. Unless you WANT to make people use X. Because this
is how you make people use X.

-- 
You are receiving this mail because:
You are on the CC list for the bug.___
wayland-bugs mailing list
wayland-bugs@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/wayland-bugs


[Wayland-bugs] [Bug 772875] [wayland] can't run application as root using sudo

2016-10-13 Thread gtk+
https://bugzilla.gnome.org/show_bug.cgi?id=772875

--- Comment #3 from Mohammed Sadiq  ---
Hm.. Lots of newbies will have hard time to move from X11 to wayland then.
Yeah, I agree, this will improve security tho.

-- 
You are receiving this mail because:
You are on the CC list for the bug.___
wayland-bugs mailing list
wayland-bugs@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/wayland-bugs


[Wayland-bugs] [Bug 772875] [wayland] can't run application as root using sudo

2016-10-13 Thread gtk+
https://bugzilla.gnome.org/show_bug.cgi?id=772875

Emmanuele Bassi (:ebassi)  changed:

   What|Removed |Added

 CC||eba...@gmail.com

--- Comment #2 from Emmanuele Bassi (:ebassi)  ---
To further elaborate: the appropriate way to run gedit with sudo is:

  set EDITOR=gedit
  sudo -e /etc/some/file/owned/by/root

which will run gedit in your session, on a temporary file, and then sudo will
swap the temporary file with the target.

If you want to just browse files, GVFS now has an 'admin:' URI scheme which
will let you open files via appropriate privilege escalation through polkit.

In short: there is no reason whatsoever to run a GUI application — with its
unknown security surface, using various dependencies at build and run time,
themselves with unknown security surface — as root.

-- 
You are receiving this mail because:
You are on the CC list for the bug.___
wayland-bugs mailing list
wayland-bugs@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/wayland-bugs


[Wayland-bugs] [Bug 772875] [wayland] can't run application as root using sudo

2016-10-13 Thread gtk+
https://bugzilla.gnome.org/show_bug.cgi?id=772875

Matthias Clasen  changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 CC||mcla...@redhat.com
 Resolution|--- |NOTABUG

--- Comment #1 from Matthias Clasen  ---
Not a bug, per se. Running graphical applications as root in this way is not
the recommended way to go about things.

If you insist,
XDG_RUNTIME_DIR=/run/user/$PID gedit
will work as root

-- 
You are receiving this mail because:
You are on the CC list for the bug.___
wayland-bugs mailing list
wayland-bugs@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/wayland-bugs