markg added a comment.
- "You broke my workflow using `sudo dolphin` to edit root-owned files."
- "You broke my use of a root GUI session in $DISTRO."
These are good reactions. Not so good reactions are sending hate mails to developers. If that happens I cannot take them serious. I tried to look up one of the incidents, but I cannot find it on google+ anymore. This has nothing to do that we change something users dislike. We do that constantly. Any change angers users. You will someday also notice this. You are relatively young in the KDE business. With time you will notice that you do changes that angers your users. You do something which improves things and it angers some other users. That's something which happens and we have to live with. We just cannot please all users. The important question is how you react to the change: explain the use cases you have or just let out your anger at random persons. In the latter case it's to me a clear sign that you don't have real arguments.
I did the change in kate with the information about sudoedit which motivated the change in dolphin AFAIK. This broke peoples workflows. It broke it really hard. Nevertheless the overwhelming feedback I got was: "wow awesome I didn't know that sudoedit exists, that's much better than my workflow before." It's totally fine to question users' workflows. With the change in kate I questioned the workflow of running the gui to edit as root in general. That would also be the answer to the first question. You need to edit files as root? Use sudoedit.
Now instead of trying to support the users' workflow of running the complete session as root I would question it. Why do they run it as root? What's the real usecase they have for it? Maybe there is no need, maybe they don't need it and their workflow improves when we can suggest them something better? If I get a request for a new feature I normally ask what's the actual usecase for it. Very often I have a feeling things are requested out of ignorance on how else something can be achieved. We don't need to follow and implement everything in the sake of usability. Usability is also questioning the users and provide the best workflow for them. And that might not be the workflow they are used to. I question that running a session as root is the best workflow for the issues user's try to solve with it.
Yes I used to do that 15 years ago as well. I logged into the suse session as root to do stuff. That was before I learned about sudo, before polkit existed. Workflows change and that's good so. I learned that using Kubuntu with sudo is much easier to use than logging into as root. It was new to me, I wasn't used to the concept of not having a root user. But my workflows improved. It improved because the distribution took away a part I used to have.
It's great if there are better alternatives and in the case of kate it looks good. I also didn't know about sudoedit and seems to be a good tradeoff between security and usability as you get both.
In the case of dolphin you really are destroying a workflow with no alternative.
Some arguments where i had to run root before.
1. A while ago (don't know when or which update) but some update completely ruined my plasma setup. I had to start in either gnome or openbox to remove some configuration files for them to be re-generated.
In this case i did that in a new gui session as root. I believe i started thunar (which shows a warning if you run it as root but allows it) and that is because dolphin wasn't running!
Sure, i could've done this completely on the terminal and just rm the files i wanted to remove. I also could have logged in as the same user under either gnome or openbox which would also have worked (with the risk of seeing errors in .xsession-errors that were not of Plasma or just more difficult in general to figure out what caused an issue). To not pollute those logs with unrelated stuff i logged in as root. Imho, a very valid use case.
2. Another more recent use case was with setting up a home media kodi thingy on a odroid. It all just runs as root. That is a given and just how that particular image worked. Now i had a need for looking up something so i installed a login manager, openbox and dolphin and ran openbox on there for a moment. When i wanted to start dolphin form the command line i was greeted with: "Executing Dolphin as root is not possible." message... We both can come up with a dozen reasons to work around this, but it really makes very little sense to go through those hoops on a single-user device (which the _vast_ majority of plasma users is [1].
In both cases either the command line or thunar was my "fix" but i think the above case are very valid ones. Ones you break for a really minor insignificant security hole that we've been living with for as long as X11 exists (i think).
It's great that you focus on security, more people should do that! In that regard, lots of kudos for that mentality! :)
But you can also go too far. In my opinion blocking dolphin to run under root is a step too far.
You would also have to run a malicious application which is quite unlikely if you stick to vendor packages (but sure, there probably is a very small chance that a malicious package lands in the dist repository).
In all you have to weigh the pros and cons.
The chance that you get infected by a malicious application that does actually exploit this vulnerability is in my opinion really really really slim.
There are much more possible exploits for that: https://www.exploit-db.com/local/
I don't think the cons (allow dolphin to run as root) outweigh the pros (security).
[1] I don't have numbers but i'm very sure the vast majority of plasma users is the only user on that specific hardware.
REPOSITORY
R318 Dolphin
REVISION DETAIL
https://phabricator.kde.org/D12795
To: ngraham, markg, elvisangelaccio, #dolphin
Cc: chinmoyr, cfeck, elvisangelaccio, mmustac, Fuchs, markg, graesslin, nicolasfella, zzag, kfm-devel, emmanuelp, spoorun, navarromorales, isidorov, firef, andrebarros