--- Comment #5 from Emmanuele Bassi (:ebassi) <> ---
(In reply to taijian from comment #4)
> I am sorry, but I do take issue with the stance that: "There is no reason
> whatsoever to run a GUI application as root". What you mean to say is that
> YOU PERSONALLY can not think of an instance where the benefit of doing so
> will outweigh the downsides, as you perceive them, of doing so.

Speaking as the developer of a GUI toolkit, and as an application developer,
no: there are no *real*, substantiated, technological reasons why anybody
should run a GUI application as root. By running GUI applications as an admin
user you're literally running millions of lines of code that have not been
audited properly to run under elevated privileges; you're also running code
that will touch files inside your $HOME and may change their ownership on the
file system; connect, via IPC, to even more running code, etc.

You're opening up a massive, gaping security hole — likely because application
developers were too lazy to properly do separation between the code that
creates and manages the GUI bits, and the code that executes the privileged

> To say that
> there definitely is no reason, and that there can never BE any reson

It's software: *everything* is possible.

It's possible that, at some point down the line, all the code on your OS will
be auditable *and* audited, and it's going to be safe to trust every
application, library, service, and kernel module, including all the potential
interactions between all these components. It's possible, but *incredibly*

Additionally, this is not the direction things are going; applications are
untrusted by default, because they may come from anywhere and signing them with
a GPG key does not make automatically trustworthy; and, as such, GUI
applications are getting sandboxed — at various levels: file system, network,
display server, etc.

> to see things differently, is the exact same mindset of engineered arrogance
> that drove me away from Microsoft Windows. 

To see things differently from your position is just the result of actually
having to write the OS that you're using.

> Suppose, just for the moment, that I would like to run GParted. That is a
> GUI application that kinda benefits from being run as root.

No, it really doesn't.

The GUI part should be running as your user, and it should defer the privileged
operations to an auditable, self-contained, *minimal* piece of code that gets
executed after doing a privilege escalation, and gets dropped when not needed.

This is how applications that interact with any privileged operation, such as
interacting with hardware or with system services, should be written.

> Of course, there
> is no NEED, as such, to use this particular application. I could just use
> parted from the CLI. But, just suppose, that I would rather like to do some
> things in a GUI. And just suppose, for a moment, that there are other people
> out there, who, like me, would like to continue to use Linux, but with a
> functional GUI, that lets us do things we are not allowed to do in Windows,
> because they are dangerous. 

That has nothing to do with Windows.

Modern Windows API and applications use sandboxing, localised privilege
escalation, and separation of logic from UI.

Linux applications don't, because they were written for a platform that did not
have any of these things, and assumed that the users were capable of just
fixing a hosed system. This is not true any more, if it ever was true.

> Linux lets me do stuff like 'sudo rm -rf /*'.

Which is not a GUI application, it's self-contained, does not call random
services via IPC, and it's easily auditable.

> Yet I manage. So don't try to
> patronize everyone by telling them they can't run GUI applications as root
> 'because it is dangerous'.

It's not "because it's dangerous"; that's a straw man that you built yourself
out of your entitlement and lack of understanding, and are now having fun
dismantling. It's also something I did not say.

GUI applications should not run as root because it's *insecure*. Because it's
irresponsible towards users and their data. And, lastly, because it's simply
not necessary, given the technological context in which applications are

> Unless you WANT to make people use X. Because
> this is how you make people use X.

X was written with a security and threat model that is simply irresponsible to
use in 2016.

You are receiving this mail because:
You are on the CC list for the bug.
wayland-bugs mailing list

Reply via email to