On running gui applications as root
Przemek Klosowski
przemek.klosowski at nist.gov
Thu Nov 19 16:42:24 UTC 2015
On 11/19/2015 08:31 AM, Reindl Harald wrote:
>
>
> Am 19.11.2015 um 13:57 schrieb Simon Farnsworth:
>> Put another way: "sudo emacs /etc/hosts" will break under Wayland
>
> than wayland is currently not useable and ready to replace X11
>
> as user i don't care if the application needs to be fixed or wayland
> lacks whatever but given that there are a bazillion more applications
> compared to X11 versus wayland it's pretty clear where to start
I think you're arguing that the multitude of X applications does not
have fine-grained access controls, so they have to be given overall root
privilege---but this is the old OS security model that we've been moving
away from for years.
Adam's argument is that we should switch to fine-grained control, just
like we switched to fine-grained control with SELinux. We have to find
out why the GUI app legitimately requires elevated access and give it
just that access. Those 'horrible hacks' that you decry do exactly that:
isolate the root-level file access and arrange for it, while running the
entire GUI at non-privileged level.
This could be done in other ways too, e.g. by wrapping the GUI with a
script that adds user to root file's ACL, edits it and takes ACL away.
Your rsync mechanism is actually a perfect example: root access to files
on your target systems should be decoupled from root access on your
admin system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20151119/24fe95af/attachment-0001.html>
More information about the devel
mailing list