Comments on: Using sudo with graphical apps is bad, mmmkay? http://myrtti.fi/blog/2008/11/11/using-sudo-with-graphical-apps-is-bad-mmmkay/ Nerdette ravings Mon, 02 Jan 2012 20:36:07 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Kevin Chadwick http://myrtti.fi/blog/2008/11/11/using-sudo-with-graphical-apps-is-bad-mmmkay/comment-page-1/#comment-2842 Kevin Chadwick Fri, 28 Oct 2011 14:47:49 +0000 http://myrtti.fi/blog/?p=438#comment-2842 There's a few things here. A gui app may update lots of config files and be expected to run as a normal user so you may end up with files that can no longer be changed by a normal user. The environment issue, well you should run apps via the console with their full path. e.g /usr/bin/sudo /bin/ls Synaptic will be designed for root use but is far less secure than using /usr/bin/apt-get Some programs shouldn't be run or be allowed to run via sudo at all, even /bin/more the sudoers NOEXEC option can help but is no complete fix. See vi versus sudoedit. Still it's better than running your whole OS as a Windows Admin. There’s a few things here. A gui app may update lots of config files and be expected to run as a normal user so you may end up with files that can no longer be changed by a normal user.

The environment issue, well you should run apps via the console with their full path. e.g /usr/bin/sudo /bin/ls

Synaptic will be designed for root use but is far less secure than using /usr/bin/apt-get

Some programs shouldn’t be run or be allowed to run via sudo at all, even /bin/more the sudoers NOEXEC option can help but is no complete fix. See vi versus sudoedit.

Still it’s better than running your whole OS as a Windows Admin.

]]> By: enliblendof http://myrtti.fi/blog/2008/11/11/using-sudo-with-graphical-apps-is-bad-mmmkay/comment-page-1/#comment-1410 enliblendof Fri, 19 Dec 2008 18:31:26 +0000 http://myrtti.fi/blog/?p=438#comment-1410 The good resource is informative and actual The good resource is informative and actual

]]> By: John P http://myrtti.fi/blog/2008/11/11/using-sudo-with-graphical-apps-is-bad-mmmkay/comment-page-1/#comment-1295 John P Wed, 12 Nov 2008 00:43:59 +0000 http://myrtti.fi/blog/?p=438#comment-1295 This depends on how you have sudo configured. Use sudo -H to set home to ~root when you use sudo. Or configure this, and other environment settings, in your sudoers file. Using the xauth PAM module, it is even possible to get sudo to create its own copy of the .Xauthority file. In fact, Fedora Core used to configure su that way (and may still do so, I mostly use Ubuntu now). So why does this advise apply to GUI apps, but not console apps? I'm not sure that blindly running non-GUI applications as root with the user's environment set is any safer -- in either case it depends upon the behaviour of the individual application and which config files it reads/writes. This depends on how you have sudo configured.

Use sudo -H to set home to ~root when you use sudo. Or configure this, and other environment settings, in your sudoers file.

Using the xauth PAM module, it is even possible to get sudo to create its own copy of the .Xauthority file. In fact, Fedora Core used to configure su that way (and may still do so, I mostly use Ubuntu now).

So why does this advise apply to GUI apps, but not console apps? I’m not sure that blindly running non-GUI applications as root with the user’s environment set is any safer — in either case it depends upon the behaviour of the individual application and which config files it reads/writes.

]]> By: Troels Liebe Bentsen http://myrtti.fi/blog/2008/11/11/using-sudo-with-graphical-apps-is-bad-mmmkay/comment-page-1/#comment-1293 Troels Liebe Bentsen Tue, 11 Nov 2008 23:02:42 +0000 http://myrtti.fi/blog/?p=438#comment-1293 sudo on some GUI apps can be useful, fx. sudo gvim /boot/grub/menu.lst is much better than gksudo gvim /boot/grub/menu.lst Since with sudo my environment stays the same, meaning all my .vim* configurations from my normal user is used, giving me highlighting and other nice things. And you could properly find other apps were this would be the case as well. sudo on some GUI apps can be useful, fx.

sudo gvim /boot/grub/menu.lst

is much better than

gksudo gvim /boot/grub/menu.lst

Since with sudo my environment stays the same, meaning all my .vim* configurations from my normal user is used, giving me highlighting and other nice things. And you could properly find other apps were this would be the case as well.

]]> By: David Edmundson http://myrtti.fi/blog/2008/11/11/using-sudo-with-graphical-apps-is-bad-mmmkay/comment-page-1/#comment-1291 David Edmundson Tue, 11 Nov 2008 22:29:53 +0000 http://myrtti.fi/blog/?p=438#comment-1291 I'm not convinced you're right. Running any application as root when it's not needed is bad, because there's more to go wrong, and it has potential to mess up permissions on config files used by your editor. However running kdesu[do] is still runnning the next application as root. sudoedit is the best solution. It copies the file (as root) to a temporary location. Lets you edit the file (as yourself in the editor of your choice) Then on exit, copies the file back (as root). That way as much as possible isn't running as root. I’m not convinced you’re right.

Running any application as root when it’s not needed is bad, because there’s more to go wrong, and it has potential to mess up permissions on config files used by your editor. However running kdesu[do] is still runnning the next application as root.

sudoedit is the best solution. It copies the file (as root) to a temporary location. Lets you edit the file (as yourself in the editor of your choice) Then on exit, copies the file back (as root).

That way as much as possible isn’t running as root.

]]> By: Miia Ranta » Daily Digest for 2008-11-11 http://myrtti.fi/blog/2008/11/11/using-sudo-with-graphical-apps-is-bad-mmmkay/comment-page-1/#comment-1290 Miia Ranta » Daily Digest for 2008-11-11 Tue, 11 Nov 2008 22:00:44 +0000 http://myrtti.fi/blog/?p=438#comment-1290 [...] Published a blog post. Using sudo with graphical apps is bad, mmmkay? [...] [...] Published a blog post. Using sudo with graphical apps is bad, mmmkay? [...]

]]> By: Peng’s links for Tuesday, 11 November « I’m Just an Avatar http://myrtti.fi/blog/2008/11/11/using-sudo-with-graphical-apps-is-bad-mmmkay/comment-page-1/#comment-1289 Peng’s links for Tuesday, 11 November « I’m Just an Avatar Tue, 11 Nov 2008 20:10:23 +0000 http://myrtti.fi/blog/?p=438#comment-1289 [...] Rhodes: The evolution of open source softwareDaniel Holbach: Combining Bug Jams and Packaging JamsMiia Ranta: Using sudo with graphical apps is bad, mmmkay?Emma Jane Hogbin: Screen casts: now with fade [...] [...] Rhodes: The evolution of open source softwareDaniel Holbach: Combining Bug Jams and Packaging JamsMiia Ranta: Using sudo with graphical apps is bad, mmmkay?Emma Jane Hogbin: Screen casts: now with fade [...]

]]> By: Jonathan http://myrtti.fi/blog/2008/11/11/using-sudo-with-graphical-apps-is-bad-mmmkay/comment-page-1/#comment-1286 Jonathan Tue, 11 Nov 2008 17:48:49 +0000 http://myrtti.fi/blog/?p=438#comment-1286 I've always wondered about this. My only question was I thought "they" were getting rid of gksudo. Or were they just replacing the previous/current implementation for accessing administrative graphical items like Synaptic and Services via gksudo with PolicyKit? Meaning, will gksudo still be around once PolicyKit is in full-swing? On a side note, it would be very helpful to have a button accessible in graphical apps like gedit where you could click it and change the process to an administrative-level app. Similar to what PolicyKit does actually. I’ve always wondered about this. My only question was I thought “they” were getting rid of gksudo. Or were they just replacing the previous/current implementation for accessing administrative graphical items like Synaptic and Services via gksudo with PolicyKit? Meaning, will gksudo still be around once PolicyKit is in full-swing?

On a side note, it would be very helpful to have a button accessible in graphical apps like gedit where you could click it and change the process to an administrative-level app. Similar to what PolicyKit does actually.

]]> By: jldugger http://myrtti.fi/blog/2008/11/11/using-sudo-with-graphical-apps-is-bad-mmmkay/comment-page-1/#comment-1285 jldugger Tue, 11 Nov 2008 17:42:00 +0000 http://myrtti.fi/blog/?p=438#comment-1285 The problem is that the user's local environment could leak a pathway from the internet to root. Visit some flash website in firefox, which makes a sneaky write to a config file; then run some gui app via sudo that reads from the config file. At that point, any vulnerability in the app may lead to root exploitation. The problem is that the user’s local environment could leak a pathway from the internet to root. Visit some flash website in firefox, which makes a sneaky write to a config file; then run some gui app via sudo that reads from the config file. At that point, any vulnerability in the app may lead to root exploitation.

]]> By: Little Girl http://myrtti.fi/blog/2008/11/11/using-sudo-with-graphical-apps-is-bad-mmmkay/comment-page-1/#comment-1284 Little Girl Tue, 11 Nov 2008 16:52:41 +0000 http://myrtti.fi/blog/?p=438#comment-1284 Hey there, Another good page on this: https://help.ubuntu.com/community/RootSudo And to muddy the waters a bit more, from Hardy Heron 8.04 to the present, the correct command in Kubuntu is: kdesudo kate In previous releases of Kubuntu, kdesu kate will do the trick. Hey there,
Another good page on this:

https://help.ubuntu.com/community/RootSudo

And to muddy the waters a bit more, from Hardy Heron 8.04 to the present, the correct command in Kubuntu is:

kdesudo kate

In previous releases of Kubuntu, kdesu kate will do the trick.

]]>