On running gui applications as root

Andreas Tunek andreas.tunek at gmail.com
Wed Nov 18 20:37:30 UTC 2015 

2015-11-18 21:24 GMT+01:00 Adam Williamson <adamwill at fedoraproject.org>:
> On Wed, 2015-11-18 at 15:09 -0500, Adam Jackson wrote:
>> On Wed, 2015-11-18 at 11:53 -0800, Andrew Lutomirski wrote:
>>
>> > I don't understand.  If a user who has the right to act as root asks
>> > to authorize a program to run as root on their behalf, we should grant
>> > that request.  And, once we grant it, we shouldn't be
>> > passive-aggressive and say "sure you can run it, but no graphics for
>> > you!".
>>
>> The point is, if things in Fedora require "run this bit of GUI as root"
>> in order to function, we've done a poor job. That people have bad
>> habits already is not sufficient justification to encourage them to
>> have more.
>>
>> To the bug in question: probably we should make it so 'sudo gedit' does
>> work, but I'd still strongly discourage anyone from actually doing so.
>
> ISTR seeing some work lately in gvfs or gio or something which would
> allow GNOME-y things to acquire necessary perms for changes to files
> via PolicyKit when necessary.
>
> I've always thought this would be an entirely reasonable feature.
> There's no inherent security advantage in making people run a console
> editor as root instead of using their preferred graphical editor, if
> the graphical editor can use an appropriately restricted permission
> granting mechanism to do the job. I've certainly had times where I'd
> quite have liked to edit a system file with gedit rather than nano or
> vi.
> --

I find it quite hilarious that liveusb-creator wouldn't even start for
me the last time I tried it on F23. You can have the most secure
system in the world but if you can't do what you want to do, what is
the point.

And there is quite a big leap to be able to use the command line
tools, I really do not think most normal users would be able to do
that.

/Andreas

> Adam Williamson
> Fedora QA Community Monkey
> IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net
> http://www.happyassassin.net
>
>
> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

More information about the devel mailing list