Commit 9adcebd3 authored by Martin Flöser's avatar Martin Flöser

Disallow executing kate and kwrite as root on Linux

Summary:
Running GUI applications as root is a huge security risk. Especially
the X server is not secured for that. Non-root applications can easily
interact with a root running application and thus try to exploit simple
bugs in either kate/kwrite itself or in the underlying libraries such
as Qt, XLib or xcb.

In addition kate can be abused to just open the konsole window and any
command can be entered using the XTest extension. This was demonstrated
for dolphin in [1]. The application itself cannot do anything to protect
against it.

On Wayland the situation can be considered worse as the compositor is
running as the normal user and is not protected to handle root windows.
It can be rather trivial to attack the root running application from the
compositor through interfaces such as scripting. This is not in the aim
of the compositors to protect against.

The common use case why users start editors as root is to edit root
owned files. This is a valid use case, but there is no need to run the
application as root. Instead one can use sudoedit to run the application
as user and still be able to edit as root.

This change introduces a check whether the application is started as
root before any interaction with X or Wayland happens, that is prior to
creating the QApplication. If it is detected that we run as root, we
exit and print an information about how to properly edit an application
in kwrite/kate as root. The text is deliberatly not translated to keep
the threat from running as root as low as possible.

The output is:
martin@martin-desktop: ~ $ sudo /opt/kf5/bin/kate
Executing Kate as root is not possible. To edit files as root use:
SUDO_EDITOR=kate sudoedit <file>
martin@martin-desktop: ~ $ sudo /opt/kf5/bin/kwrite
Executing Kate as root is not possible. To edit files as root use:
SUDO_EDITOR=kwrite sudoedit <file>

[1] http://git.net/ml/kwrite-devel/2016-01/msg00011.html

Test Plan: See output

Reviewers: #kate

Subscribers: kwrite-devel

Differential Revision: https://phabricator.kde.org/D4634
parent 87e254b2
......@@ -51,9 +51,24 @@
#include "qtsingleapplication/qtsingleapplication.h"
#endif
#ifndef Q_OS_WIN
#include <unistd.h>
#endif
#include <iostream>
int main(int argc, char **argv)
{
#ifndef Q_OS_WIN
/**
* Check whether we are running as root
**/
if (getuid() == 0) {
std::cout << "Executing Kate as root is not possible. To edit files as root use:" << std::endl;
std::cout << "SUDO_EDITOR=kate sudoedit <file>" << std::endl;
return 0;
}
#endif
/**
* init resources from our static lib
*/
......
......@@ -42,8 +42,23 @@
#include "../urlinfo.h"
#ifndef Q_OS_WIN
#include <unistd.h>
#endif
#include <iostream>
extern "C" Q_DECL_EXPORT int main(int argc, char **argv)
{
#ifndef Q_OS_WIN
/**
* Check whether we are running as root
**/
if (getuid() == 0) {
std::cout << "Executing Kwrite as root is not possible. To edit files as root use:" << std::endl;
std::cout << "SUDO_EDITOR=kwrite sudoedit <file>" << std::endl;
return 0;
}
#endif
/**
* Create application first
* Enforce application name even if the executable is renamed
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment