Where's Konqueror in SU
Karel Volný
kvolny at redhat.com
Mon Nov 2 13:26:12 UTC 2009
> I'd suggest that anyone who sets up a system without any user
> accounts _and_ somehow needs a GUI to configure the system
> _and_ can't manage to figure out the settings to change so
> they can login as root should probably not be pretending to
> be a competent administrator.
I guess the last part is not correct - he *can* login as root,
but *can not* run Konqueror as root ... that's a difference
oh, and also the original post was not about installing without
ordinary user accounts
well, but this is not the point - the point is, that someone who
supposes he's smarter than the others just disables a possibility
for the others
please, stop protecting other people from themselves - if they
want to risk being hurt, just let them get hurt ...
I've got a usecase - what about using Konqueror to configure CUPS
what is the security difference between doing
$ su -
# konqueror localhost:631
and
$ konqueror localhost:631
<supply root password to konqueror when asked for>
?
in the first case, if the attacker gets in control of Konqueror,
he can do rm -rf / directly; in the latter, he can capture root
password ... which may (or may not) be more valuable
> Are there not enough examples from Windows of why it's a
> terrible idea to run with full administrator privileges --
> especially software like web browsers?
I do not think that using Windows as an argument is worth here
and do not forget that Konqueror is also a file browser, not just
web browser (oh, does everyone really has to do "cd /etc; vi
someconfigfile" in the text console?)
K.
--
Karel Volný
QE BaseOs/Daemons Team
Red Hat Czech, Brno
tel. +420 532294274
(RH: +420 532294111 ext. 8262074)
xmpp kavol at jabber.cz
:: "Never attribute to malice what can
:: easily be explained by stupidity."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
Url : http://lists.fedoraproject.org/pipermail/test/attachments/20091102/271d0c01/attachment.bin
More information about the test
mailing list