Bug 406673

Summary: Security: Sudo Restriction Bypass
Product: [Applications] kate Reporter: Harley A.W. Lorenzo <hl1998>
Component: generalAssignee: KWrite Developers <kwrite-bugs-null>
Status: RESOLVED NOT A BUG    
Severity: critical CC: christoph
Priority: NOR    
Version First Reported In: Git   
Target Milestone: ---   
Platform: Debian testing   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Harley A.W. Lorenzo 2019-04-19 06:12:23 UTC 
SUMMARY
When kate is ran, it checks if SUDO_USER is empty, and if it is not, kate exits with a message stating due to security concerns running as sudo is disabled. However, one can continue to run kate as sudo very easily.

STEPS TO REPRODUCE
1. sudo bash -c "unset SUDO_USER && kate"

OBSERVED RESULT
It runs under sudo

EXPECTED RESULT
It would exit without running under sudo

ADDITIONAL INFORMATION

I am marking it as critical initially because I am unsure of the security implications of running under sudo in this way and whether the security concerns are mitigated via this special procedure or if the security concerns are still present.
Comment 1 Christoph Cullmann 2019-04-19 16:18:29 UTC 
This message and error handling is only to avoid accidental use as root.
If you actively workaround by resetting the env var, it will not work.
I don't see an issue with that, most other X11 applications don't warn at all and let it be the users responsibility to don't run them as root.