https://bugs.kde.org/show_bug.cgi?id=179678
--- Comment #54 from Bo Weaver <b...@boweaver.com> --- (In reply to Bo Weaver from comment #53) > (In reply to Antonio Rojas from comment #51) > > (In reply to Bo Weaver from comment #50) > > > Created attachment 112015 [details] > > > Screen Shot > > > > > > When using kate from the CL you get this in the error. > > > > > > "Executing Kate as root is not possible. To edit files as root use: > > > SUDO_EDITOR=kate sudoedit <file>" > > > > > > In many of the blogs it says to use this method. The method doesn't > > > work. > > > Please see attached screen shot as evidence. > > > > You are *still* trying to run it as root. You're supposed to do that as a > > regular user. But in any case, that is obsolete, with a recent enough > > ktexteditor you can edit root owned files by running kate as a regular user. > > Dear Antonio Rojas > > Clearly you didn't *read* my other posts. You also didn't read my posts on > the kate flaw thread either. Of course I am *still* looged in as root. > There are use cases where you *must* be logged in as root to preform your > work properly. Pen Testing is one of these cases. As a security > researcher, pen tester, Assessor, and Security Analyst for almost 30 years. > I must ask "How do you test your code???" Do you only use autmomated > testing. Clearly you do use the defacto industry standard disto (Kali) for > pen testing to do manual testing of your code or you would understand the > need for root access to applications. If you are not manually testing your > code with the manual tools used on a daily basis by hackers then this is a > greater security risk than having Kate of Dolphin running as root. This is > an EPIC FAIL on your part. Please remember Mr. Coder I do this for a > living. You have failed your assessment. Your reply has just shown KDE > developers are not properly manually auditing their code. > > Let's talk about the attachment I sent in. The error says use SUDO_EDITOR. > Well what if sudo is set up to be run with NO PASSWORD if an attacker gains > access to the system under a normal user with sudo rights then this command > can be ran and root access gained through the embeded Konsole without the > use of a PASSWORD! AWS systems the ubuntu account is set up in this manner. > So your work around is more dangerous than what you are attempting to fix. > So you have "fixed" nothing only broken the application from normal use. > > I hate to repost but since you didn't read my reply on the other thread here > it is again. > > Here's a BIG technical reason for this to be changed back. > > Root is a "system level" account not a user account under control of the OS > and not the desktop. Root is to have full access to every process and > application. This has been a UNIX standard since the 1970's. KDE is NOT a > system level process. KDE is a desktop which runs in the Presentation and > Application of the OSI model (You guys have heard of the 7 layers of the OSI > model?) The root account is part of the System layer of this model. When > developing and application the developer is not to screw with the system > functions. These embedded flaws do just that by breaking root access to > these bineries. > > Here's a suggestion... Why don't developers take some courses in Linux > Systems Engineering and learn the rules and standards that the operating > systems are built by? Clearly you all are not engineers or this would not > be a problem and I would not be writing all this. Take time to learn the > OSI model that operating systems are designed by. > > One reason I was told for this change was Wayland now runs in the user > space. Yes this is the case when logged in under a normal user account the > compositor runs under that account. When logged in under a root account > this is not the case the compositor then runs under the root account just > fine. Download a copy of Kali the the Gnome DE and you'll see Wayland does > run under root when you are root. So this reason is flawed. > > I have yet to get a reply on any of this from you all. > > Again I am the guy you are attempting to "keep out" of your processes and > again I will say this. If I have hacked a box and have a normal users > access I am not going to attempt to hack a running kate of dolphin process > running under root because THIS PROCESS CAN BE KILLED AT ANYTIME BY THE > PERSON RUNNING THE PROCESS! I will attempt to hijack a running SYSTEM > PROCESS not a user application. > > And again I write this below. sorry to keep repeating myself but you all > don't seem to be listening. > > People like myself that must be logged in as root for work understand the > risk and are careful and parinod while in root. They also understand the > risk and if anything bad happens they assume the risk. As people like > myself only work under the root account to only do the work needed and then > change to a normal user account for normal use. I don't need you to hold my > hand and keep me safe. > > Also I don't need someone who is not a qualified pen tester trying to > "educate" me in my job or my work flow. Your a coder NOT a security person. > Please quit peeing in my pond and I will not pee in yours. > > Yes I know I am being *rude* again well Mr. Rojas don't be rude and *read* > what I have written and *don't* talk down to me like I am a noobie fool. > > It is strange I keep getting noob replies on how to work but I have yet to > get techinical responses to the techinical issues I have raised here. I'd like to correct a typo. I wrote: "Clearly you do use the defacto industry standard disto (Kali) for pen testing to do manual testing of your code or you would understand the need for root access to applications. " It should read "you don't use". I'd also like to point out that on the Bug Report sites for SuSE, Kali and Kubuntu this is listed as a *Bug* not a feature. It is only listed here as a good idea. SuSE has fixed this flaw in their repos. Kubuntu is hoping you will correct this and since KDE is not the default DE their answer is "use a different DE". Please load up a version of Kali with KDE as the DE and tell me your fix is correct. -- You are receiving this mail because: You are watching all bug changes.
