Posted on 17. February 2017 by Martin Gräßlin
Editing files as root
For years I have told people to not start Kate as root to edit files. The normal response I got was “but I have to edit this file”. The problem with starting GUI applications as root is that [color=#ff3333]X11 is extremely insecure and it’s considerable easy for another application to attack this.[/color]
An application like Kate depends on libraries such as Qt. Qt itself disallows running as an setuid-app:
Qt is not an appropriate solution for setuid programs due to its large attack surface.
If Qt is not an appropriate solution for command line arguments running as root, it’s also not an appropriate solution for running GUI applications. And Qt is just one of the dependencies of graphical applications. There is obviously also xcb, Xlib, OpenGL, xkbcommon, etc. etc.
So how can another application attack an application running as root? A year ago I implemented a simple proof of concept attack against Dolphin. The attack is waiting for dolphin getting started as root. As soon as it starts, it uses the [color=#ff3333]XTest extension to fake input[/color], enable the embedded konsole window and type into it.
This is just one example. [color=#ff3333]The elephant in the room is string handling, though. Every X11 window has many window properties and every process can write to it.[/color] We just have to accept that string handling is complex and can easily trigger a crash.
Luckily there is no need for editing a file to run the editor as root. [color=#ff3333]There is a neat tool called sudoedit.[/color] That does the magic of starting the editor as the user and takes care of storing the file as root when you save.
Today I pushed a change for Kate and KWrite which does no longer allow to be run as root. Instead it educates the user about how to do the same with sudoedit.
Now I understand that this will break the workflow for some users. But with a minor adjustment to your workflow you get the same. In fact it will be better, because the Kate you start is able to pick up your configured styling. And it will also work on Wayland. And most importantly it will be secure.
[color=#ff3333]I am also aware that if you run an application which is malicious you are already owned[/color]. I think that we should protect nevertheless.