[sf-lug] running X11 graphical applications with root-user authority? 8-O Re: GKsu has long been EOLed (was: no more sudo for Ubuntu 18.04)

Michael Paoli Michael.Paoli at cal.berkeley.edu
Thu Feb 14 13:14:15 PST 2019


Yes, in general, and to the extent feasible, DO NOT RUN GUI/X STUFF
AS SUPERUSER (UID 0, "root").  Period.  Most of the time there's just
no need to.  And unnecessarily doing so exposes one to otherwise
avoidable security and other risks.

I find in practice it's quite rare I do or have need to do any GUI or
GUI app stuff as root.

Heck, if you like sudo and are already in your GUI environment and
for some reason don't want to go to a text console, you
certainly don't need some root-level GUI stuff.
$ sudo vi some_file
will do quite nicely.  Or if one wants/needs/prefers, something like:
$ sudo su - root -c 'vi some_file'
$ su vi some_file
$ su - root -c 'vi some_file'
... or replace vi in the above with your favorite (nvi) text editor (
or instead launch an operating system such as emacs - just needs a
good editor).

and rearranging a bit:

> From: "Rick Moen" <rick at linuxmafia.com>
> Subject: [sf-lug] GKsu has long been EOLed (was: no more sudo for  
> Ubuntu 18.04)
> Date: Wed, 13 Feb 2019 13:48:42 -0800

> But the real question you should be asking is 'Why the Gehenna am I
> running X11 graphical applications with root-user authority?'  It's
> dangerous to your security to needlessly run large graphical
> applications with root authority, for gosh sakes.  Why on _earth_ would
> you be doing that in the first place?

> and on.[1]  Personally, _if_ I needed to run an X application with root
> authority (a matter I'll return to, below), I'd just do 'ssh -Y
> root at localhost' and then './some-x11-app &' to launch some-x11-app with
> root authority.  (This requires having an sshd running, which you can
> restrict to localhost-access only.)
>
> I expect the lame excuse I'd hear would be 'I had to elevate the
> authority of the GNOME GEdit text editor to root privilege in order to
> edit a configur root-owned text file in one of the system directories.'
> No, you didn't.  Open a console, and use some nice little text editor
> like nano (with sudo if you like sudo, or su to root if not)...

> [1] http://linuxmafia.com/faq/Security/root-with-x11.html




More information about the sf-lug mailing list