On running gui applications as root

Andrew Lutomirski luto at mit.edu
Wed Nov 18 19:53:35 UTC 2015 

On Wed, Nov 18, 2015 at 10:49 AM, Adam Jackson <ajax at redhat.com> wrote:
> On Tue, 2015-11-17 at 17:30 +0000, Andrew Haley wrote:
>> On 11/02/2015 03:05 PM, Adam Jackson wrote:
>> > But, why take the risk exposure, when you could simply not?
>>
>> How else would I edit root-owned files?  I don't get it.  I mean,
>> I guess I could run an editor in a text window, but I don't want to
>> do that.
>
> That's kind of a non sequitur. To a first order, there are zero root-
> owned files you need to edit routinely. And I feel pretty comfortable
> calling any counterexamples bugs that need fixing.
>
>> And finally, it's *my computer*, dammit.
>
> In the threat model being described, no, it is not, there's another
> agent on the system subverting your use of it.
>
> You are of course free to disregard that risk, or measure it in the
> event and conclude it's safe enough, and in many cases it will in fact
> be safe. Great, fine, that's a conclusion a consumer can come to. But
> in the Fedora context we are the producer, not the consumer. Developing
> an operating system means considering what is best in the general case,
> and in the general case, if using the system requires a known-dangerous
> configuration, we've done our job poorly.
>
> Phrased another way: no, it's not *your computer* we're talking about
> here. The computer in question rightfully belongs to someone else; we
> are here discussing how to be responsible for the code they allow us to
> run on it.

I don't understand.  If a user who has the right to act as root asks
to authorize a program to run as root on their behalf, we should grant
that request.  And, once we grant it, we shouldn't be
passive-aggressive and say "sure you can run it, but no graphics for
you!".

Sure, if we want to block attacks in which an untrusted non-root
program subverts the root program, then great!  But we should really
start by stopping attacks in which an untrusted non-root program runs
sudo itself, edits .bashrc to redirect sudo to something malicious,
subverts the (non-root!) terminal in which the user types sudo, etc

IOW, we're solving only one tiny special case of a broad problem, and
it's more annoying than helpful.

--Andy

More information about the devel mailing list