Re: Privileged File Access from Desktop Applications

["Perry E. Metzger" <perry () piermont com>]

On Thu, 11 Jul 2019 07:51:17 +0000 Malte Kraus <malte.kraus () suse com>
wrote:
> Hi Perry,
>
> On Tue, 2019-07-09 at 11:30 -0400,  Perry E. Metzger wrote:
> > Can you explain (or point to) a description of why this is a
> > problem?  
> I'm not sure what exactly breaks, just that it does, see e.g. [1]
> [2] [3]. Since we're talking about root it's not a matter of
> technical impossibility, but a decision not to write the code to
> make it work.
>
> From a security perspective that seems like a great improvement.
> Even if it should be the case that some programs don't follow best
> practices re "least privileges", at least it's not the whole
> application running as root.
>
> 1: 
> https://wiki.archlinux.org/index.php/Running_GUI_applications_as_root#Wayland
> 2: 
> https://wiki.debian.org/Wayland#I.27m_accustomed_to_running_various_programs_.28e.g._synaptic.29_as_root_in_my_X_session.__How_will_this_work_under_Wayland.3F
> 3: 
> https://fedoraproject.org/wiki/How_to_debug_Wayland_problems#Graphical_applications_can.27t_be_run_as_root_from_terminal

So these links seem to say that things have been structured so you
*can't* run GUI apps as root, not that there is a special or unusual
security problem in Wayland if you run an application as root; if
you logged in as root, you could run GUI applications as root. That's
rather different from the original statement. Am I misunderstanding?

Perry
-- 
Perry E. Metzger                perry () piermont com