Bug 387950

Summary: Dolphin no longer works under root
Product: [Applications] dolphin Reporter: Bo Weaver <b0>
Component: generalAssignee: Dolphin Bug Assignee <dolphin-bugs-null>
Status: RESOLVED DUPLICATE    
Severity: major CC: elvis.angelaccio
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Other   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Bo Weaver 2017-12-16 04:47:45 UTC 
Today I updated my system and found that Dolphin and Kate no longer run under root.  I look and saw that this is considered a security issue.  As a Pen Tester I run under root during testing.  I do understand that normally you would never run under root.  When you logged in as root then why is it a problem accessing files with dolphin?  If the problem is these is a security hole from a normal user account because root can access files with Dolphin then fix the problem don't just break it and turn it off this doesn't "fix" anything.

This problem is also a problem with Kate.  So you telling me that a Text Editor is a security problem well as a security researcher for over 20 years I can tell you the problem is a text editor it is bad code.  don't be lazy fix the code.

Dear developers people need to access system files from time to time and change those files.  Since configuration files in UNIX/Linux type OSes are text files you need a text editor to change these files.  Systems are not completed configured during install and a person must access the system.  LeafPad and Gedit have no problem running under root.

At least give me the ability to run these applications if I choose to.

I hate to complain I have been a user since the 1990's and have always loved KDE for its sensible and configurable desktop.  PLEASE be sensible again and don't screw with function.

Thank you
Bo Weaver
Comment 1 Elvis Angelaccio 2017-12-16 12:57:00 UTC 
(In reply to Bo Weaver from comment #0)
> Today I updated my system and found that Dolphin and Kate no longer run
> under root.  I look and saw that this is considered a security issue.  As a
> Pen Tester I run under root during testing.  I do understand that normally
> you would never run under root.  When you logged in as root then why is it a
> problem accessing files with dolphin?  If the problem is these is a security
> hole from a normal user account because root can access files with Dolphin
> then fix the problem don't just break it and turn it off this doesn't "fix"
> anything.

No, the problem is that Xorg is not secure. See https://cgit.kde.org/kate.git/commit/?id=9adcebd3c2e476c8a32e9b455cc99f46b0e12a7e


> Dear developers people need to access system files from time to time and
> change those files.  

Kate already prompts for the root password whenever you edit a system file. Dolphin will soon, hopefully.

*** This bug has been marked as a duplicate of bug 152150 ***
Comment 2 Bo Weaver 2017-12-16 21:32:48 UTC 
(In reply to Elvis Angelaccio from comment #1)
> (In reply to Bo Weaver from comment #0)
> > Today I updated my system and found that Dolphin and Kate no longer run
> > under root.  I look and saw that this is considered a security issue.  As a
> > Pen Tester I run under root during testing.  I do understand that normally
> > you would never run under root.  When you logged in as root then why is it a
> > problem accessing files with dolphin?  If the problem is these is a security
> > hole from a normal user account because root can access files with Dolphin
> > then fix the problem don't just break it and turn it off this doesn't "fix"
> > anything.
> 
> No, the problem is that Xorg is not secure. See
> https://cgit.kde.org/kate.git/commit/
> ?id=9adcebd3c2e476c8a32e9b455cc99f46b0e12a7e
> 

I did check out the link and according to the link the problem is "simple bugs in either kate/kwrite itself or in the underlying libraries such as Qt, XLib or xcb."  Wouldn't the correct path be fix the bugs in the underlying libraries not just kill the application?  If these are shared libraries then they could be also exploited when say the Systems Manager is opened or the Update Manager is ran.  Killing Kate wouldn't fix an issue with shared libraries.



> 
> > Dear developers people need to access system files from time to time and
> > change those files.  
> 
> Kate already prompts for the root password whenever you edit a system file.
> Dolphin will soon, hopefully.

I don't "see" a prompt I can't open a file.  Kate just doesn't run at all.  Only when starting kate from the command line am I given an error response.

You missed my point.  I am logged in as root.  Everything I'm doing is dangerous.  I know this an assume all responsibility for this.  I need this function for my job.  Just killing access to Kate and Dolphin will not protect anything when logged in as root.  I'm not talking about sudo or running Kate "as root" from a users account.  The only thing that is accomplished is I have to LeafPad to edit a file.  Kate has been my favorite text editor for years.

I do understand that on most machines the root account is and should be locked by default.  When I set up a Linux box for a normal person I leave it this way your right they don't need full access in the same manner I do.  Still they're are some of us that need that level of access and are advanced enough to use a system in that mode and are willing to assume responsibility for any actions taking my the themselves.  If your application is not secure enough to be run by a root user it should not even be on the system.

Basically you're saying don't run KDE on Kali Linux.  Is this right?

> 
> *** This bug has been marked as a duplicate of bug 152150 ***