<p>I thought bonobo was long since deprecated...</p>
<p>--<br>
Sent from my HTC Dream---Running Froyo!<br>
Thanks, @cyanogen!</p>
<p>On Aug 1, 2010 1:13 PM, "Jim Kinney" <<a href="mailto:jim.kinney@gmail.com">jim.kinney@gmail.com</a>> wrote:<br type="attribution">> risk vs cost. It's a very valid analysis. One thing I have found with the<br>
> RHEL/CentOS Fedora world is the gui's needed to do things for admin stuff<br>> are all named system-config-*. This means it's easy to pop up a gnoe<br>> terminal, su - root, and run the gui command from a normal user account X<br>
> session. This has also been deemed relatively safe as now the (growing)<br>> security in Xorg can follow the UID tags and see that root owns a data<br>> stream and can add the protections frmt he rest of the gui environment.<br>
> <br>> For me, being able to switch to an admin role while on my normal desktop<br>> WITHOUT having to login as a root user is a key aspect of my happy factor<br>> with the Linux setup. Windows made me completely leave the environment where<br>
> I notice the need for a change but Linux lets me make the change with the<br>> relevant data still availableand ready for testing.<br>> <br>> The different gui environments have their own security issues. I would<br>
> expect that what ever tool/lib handles the interprocess-communication layer<br>> is the most vulnerable and difficult to secure. For Gnome, that's bonobo.<br>> The last time I looked, bonobo could leak data between users as it relied on<br>
> relatively weak security controls.<br>> <br>> Since I use both single user Linux system as well as manage multi-user<br>> servers, I have a split view of desktop security.<br>> <br>> On Sun, Aug 1, 2010 at 10:29 AM, William Fragakis <<a href="mailto:william@fragakis.com">william@fragakis.com</a>>wrote:<br>
> <br>>> Since I invited this flame-fest....<br>>><br>>> Let's define "bad", to borrow from my wife, is this "cross the double<br>>> yellow line" bad or "I'm driving across the mall parking lot without my<br>
>> seatbelt" bad?<br>>><br>>> Both, violate rules of safety. One will get you killed in about 2<br>>> minutes, the other, probably not.<br>>><br>>> Most things we do in life involve inherent risks. A ride down the<br>
>> interstate and seeing the crosses and flowers on the side is a ready<br>>> reminder.<br>>><br>>> Those of us who feel the need/convenience to 'that which can not be<br>>> said', aren't doing so we can log into our facebook accounts with<br>
>> ies4linux. Some things can be done completely from the CLI, somethings<br>>> by su/sudo and some things for us who've been using a mouse-based GUI<br>>> for 24 years are much easier for the 15-20 minutes we need it if we can<br>
>> get to a full-blown desktop.<br>>><br>>> Mind you, I'm not the systems admin for a Fortune 500 company. I just<br>>> have a couple boxes in the basement. My skill set is at a basement level<br>
>> as well.<br>>><br>>> Say, I'm messing about setting up a separate drive for my VMs, creating<br>>> the VMs, messing about with samba, editing a few .confs etc. and - God<br>>> forbid - having to consult Google when I hit a roadblock. For me, it's a<br>
>> heck of a lot easier to fire up a desktop for root so I don't have to<br>>> deal with su'ing 5 different programs. The automatic response is "you<br>>> shouldn't, you should do each one, separately." To those of us who've<br>
>> somehow used a desktop for decades with admin privileges without<br>>> incident, that response is a bit Jobsian ("learn to hold your phone<br>>> differently, it's not the phone's fault").<br>
>><br>>> Could I get hacked or attacked or pooch my system in those 20 minutes?<br>>> Sure. But, in 20 minutes on the road, I could easily have a serious auto<br>>> crash. It's much more probable that 20 minutes on any Atlanta interstate<br>
>> could involve me in a serious crash (during the school year, I'm on the<br>>> Connector everyday, so I don't feel like I'm overstating the odds) than<br>>> having my system get borked in the same amount of time.<br>
>><br>>> I'd even go further to say that if having a root graphical interface is<br>>> inherently something that should never be done, then the graphical stack<br>>> is too fragile.<br>>><br>
>> Just for fun, I looked up X11 and Xorg security advisories. I realize<br>>> that there are more elements to a GUI than that but the list isn't<br>>> unsettling for my usage.<br>>> <<br>>> <a href="http://www.x.org/wiki/Development/Security?action=show&redirect=SecurityPage">http://www.x.org/wiki/Development/Security?action=show&redirect=SecurityPage</a><br>
>> ><br>>><br>>> Again, I get that if I'm running the system of something where if things<br>>> go bad people lose their jobs or die, I need to be really, really<br>>> careful and not log in as root. But let's be somewhat realistic on what<br>
>> "bad" is. <begin playful sarcasm>Otherwise, I fully expect that should I<br>>> see you driving about town that you'll be using your HANS head restraint<br>>> device and have environmentally safe foam peanuts up to your<br>
>> windows.</bps><br>>><br>>> And, <more bps>considering how many Liberterians there are on this list<br>>> who haven't risen to the defense of my doing something stupid being my<br>
>> own concern, I'm shocked. ;-) </more bps><br>>><br>>> Now, let me go get my Nomex suit before the responses come hurtling in.<br>>><br>>> regards,<br>>> William<br>>><br>
>> Message sent from my reinforced concrete bunker from an account that<br>>> barely had enough privileges to even use the keyboard.<br>>><br>>><br>>><br>>> On Sun, 2010-08-01 at 08:22 -0400, Greg Freemyer wrote:<br>
>> > kdesu works in kde.<br>>> ><br>>> > I use it from time to time.<br>>> ><br>>> > Greg<br>>> ><br>>> > On 7/31/10, Richard Bronosky <<a href="mailto:Richard@bronosky.com">Richard@bronosky.com</a>> wrote:<br>
>> > > While I agree with the sentiments of this message, the subject is just<br>>> > > plain wrong. Running *stuff* as root *is not* bad. Running<br>>> > > *everything* as root *is* bad. That is exactly what happens when you<br>
>> > > log into GUI [display manager|window manager|desktop<br>>> > > environment|whatever] (I don't know anything about the X.org stack. I<br>>> > > don't use GUIs) you run *everything* as yourself. You don't want that<br>
>> > > _yourself_ to be root. I could have sworn that back when I was doing<br>>> > > MythTV I used xfce or rat poison and I used a utility called Xsudo,<br>>> > > sudoX, or GnomeSudo. That was good for running the occational app as<br>
>> > > sudo. I found that MythTV being graphical by nature forced me to do<br>>> > > this.<br>>> > ><br>>> > ><br>>> > > On 7/30/10, scott mcbrien <<a href="mailto:smcbrien@gmail.com">smcbrien@gmail.com</a>> wrote:<br>
>> > >> One of the big problems with other OS'es is that users log in as an<br>>> > >> account with administrative privileges. On those OS'es, when an<br>>> > >> application, being run by the user, runs amok (perhaps a web browser<br>
>> > >> executing badness from flash or java script?), that application runs<br>>> > >> amok with administrative rights. So when the application tries to<br>>> > >> mangle system files, libraries, etc. it can because administrators<br>
>> > >> could also modify said files. That's one example of why you don't want<br>>> > >> to log in as root, but there are many more, mostly because desktop<br>>> > >> environments like gnome run many many many processes and helper<br>
>> > >> applications each of which, when logged in as root, is given full<br>>> > >> administrative permission to do whatever they want on a system.<br>>> > >><br>>> > >> -Scott<br>
>> > >><br>>> > >> On Fri, Jul 30, 2010 at 7:05 PM, William Fragakis <<br>>> <a href="mailto:william@fragakis.com">william@fragakis.com</a>><br>>> > >> wrote:<br>>> > >>> Nautilus, for one ;-)<br>
>> > >>><br>>> > >>> GParted can do some interesting things, too, I'd gather but I've<br>>> never<br>>> > >>> tried (to do "interesting things"). Gedit can make your day exciting<br>
>> as<br>>> > >>> well. Personally, I can easily do as much damage from the CLI if not<br>>> > >>> more.<br>>> > >>><br>>> > >>> I do find it easy sometimes to actually have a root Desktop although,<br>
>> on<br>>> > >>> this esteemed list, I'm probably in a distinct minority.<br>>> > >>><br>>> > >>> If something bad happens, I was never here.<br>>> > >>> regards,<br>
>> > >>> William<br>>> > >>><br>>> > >>> On Fri, 2010-07-30 at 18:49 -0400, Drifter wrote:<br>>> > >>>> Thanks, this seems to work.<br>>> > >>>> But you have to admire the warning label that pops up before the GUI<br>
>> > >>>> actually appears on the screen:<br>>> > >>>><br>>> > >>>> "You are currently trying to run as Root super user. The superuser<br>>> is a<br>
>> > >>>> specialized account that is not designed to run a normal user<br>>> session.<br>>> > >>>> Various programs will not function properly and actions performed<br>>> under<br>
>> > >>>> this account can cause unrecoverable damage to the operating<br>>> system."<br>>> > >>>><br>>> > >>>> No hint, of course, as to what sorts of programs can cause the<br>
>> damage.<br>>> > >>>><br>>> > >>>> Sean<br>>> > >>>><br>>> > >>>> On Friday, July 30, 2010 06:13:33 pm William Fragakis wrote:<br>
>> > >>>> ><br>>> <a href="http://blog.ask4itsolutions.com/2010/04/23/login-as-a-root-from-gui-fed">http://blog.ask4itsolutions.com/2010/04/23/login-as-a-root-from-gui-fed</a><br>>> > >>>> > ora-13/<br>
>> > >>>> ><br>>> > >>>> > Did this a couple of days ago.<br>>> > >>>> ><br>>> > >>>> > Use at your own risk, owner assumes all liabilites, etc. etc.<br>
>> > >>>> ><br>>> > >>>> > On Fri, 2010-07-30 at 17:32 -0400, Drifter wrote:<br>>> > >>>> > > There are times when I need to to things as root that are -- for<br>
>> me<br>>> > >>>> > > -- much easier to do using the GUI aps rather than the command<br>>> line.<br>>> > >>>> > > Years ago on a Red Hat install, root actually had a directory in<br>
>> > >>>> > > /home and I could log into the system as root and have the GUI.<br>>> > >>>> > ><br>>> > >>>> > > This FC13 install doesn't provide that feature. I can create, as<br>
>> > >>>> > > root, a directory in /home. That's easy enough. But what do I<br>>> have<br>>> > >>>> > > to do so that I can log in as root directly just as I log into<br>
>> my<br>>> > >>>> > > regular user account? If I try to log in as root now, the system<br>>> > >>>> > > just laughs at me.<br>>> > >>>> > ><br>
>> > >>>> > > Clearly I am missing several steps in the process.<br>>> > >>>> > ><br>>> > >>>> > > Sean<br>>> > >>>> > > _______________________________________________<br>
>> > >>>> > > Ale mailing list<br>>> > >>>> > > <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>>> > >>>> > > <a href="http://mail.ale.org/mailman/listinfo/ale">http://mail.ale.org/mailman/listinfo/ale</a><br>
>> > >>>> > > See JOBS, ANNOUNCE and SCHOOLS lists at<br>>> > >>>> > > <a href="http://mail.ale.org/mailman/listinfo">http://mail.ale.org/mailman/listinfo</a><br>>> > >>>> ><br>
>> > >>>> > _______________________________________________<br>>> > >>>> > Ale mailing list<br>>> > >>>> > <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
>> > >>>> > <a href="http://mail.ale.org/mailman/listinfo/ale">http://mail.ale.org/mailman/listinfo/ale</a><br>>> > >>>> > See JOBS, ANNOUNCE and SCHOOLS lists at<br>>> > >>>> > <a href="http://mail.ale.org/mailman/listinfo">http://mail.ale.org/mailman/listinfo</a><br>
>> > >>>> _______________________________________________<br>>> > >>>> Ale mailing list<br>>> > >>>> <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>>> > >>>> <a href="http://mail.ale.org/mailman/listinfo/ale">http://mail.ale.org/mailman/listinfo/ale</a><br>
>> > >>>> See JOBS, ANNOUNCE and SCHOOLS lists at<br>>> > >>>> <a href="http://mail.ale.org/mailman/listinfo">http://mail.ale.org/mailman/listinfo</a><br>>> > >>><br>
>> > >>><br>>> > >>> _______________________________________________<br>>> > >>> Ale mailing list<br>>> > >>> <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
>> > >>> <a href="http://mail.ale.org/mailman/listinfo/ale">http://mail.ale.org/mailman/listinfo/ale</a><br>>> > >>> See JOBS, ANNOUNCE and SCHOOLS lists at<br>>> > >>> <a href="http://mail.ale.org/mailman/listinfo">http://mail.ale.org/mailman/listinfo</a><br>
>> > >>><br>>> > >><br>>> > >> _______________________________________________<br>>> > >> Ale mailing list<br>>> > >> <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
>> > >> <a href="http://mail.ale.org/mailman/listinfo/ale">http://mail.ale.org/mailman/listinfo/ale</a><br>>> > >> See JOBS, ANNOUNCE and SCHOOLS lists at<br>>> > >> <a href="http://mail.ale.org/mailman/listinfo">http://mail.ale.org/mailman/listinfo</a><br>
>> > >><br>>> > ><br>>> > > --<br>>> > > Sent from my mobile device<br>>> > ><br>>> > > .!# RichardBronosky #!.<br>>> > ><br>>> > > _______________________________________________<br>
>> > > Ale mailing list<br>>> > > <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>>> > > <a href="http://mail.ale.org/mailman/listinfo/ale">http://mail.ale.org/mailman/listinfo/ale</a><br>
>> > > See JOBS, ANNOUNCE and SCHOOLS lists at<br>>> > > <a href="http://mail.ale.org/mailman/listinfo">http://mail.ale.org/mailman/listinfo</a><br>>> > ><br>>> ><br>>><br>
>><br>>> _______________________________________________<br>>> Ale mailing list<br>>> <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>>> <a href="http://mail.ale.org/mailman/listinfo/ale">http://mail.ale.org/mailman/listinfo/ale</a><br>
>> See JOBS, ANNOUNCE and SCHOOLS lists at<br>>> <a href="http://mail.ale.org/mailman/listinfo">http://mail.ale.org/mailman/listinfo</a><br>>><br>> <br>> <br>> <br>> -- <br>> -- <br>> James P. Kinney III<br>
> I would rather stumble along in freedom than walk effortlessly in chains.<br></p>