Where's Konqueror in SU

FC12/KDE

Were is Konqueror in Root ?

Konqueror can only be run as User.

--
fedora-test-list mailing list
fedora-test-list@...
To unsubscribe:
https://www.redhat.com/mailman/listinfo/fedora-test-list

Jim wrote:
> FC12/KDE
>
> Were is Konqueror in Root ?
>
> Konqueror can only be run as User.
>
Same with gnome. Someone's misguided attempt to secure the system. It's
dead easy to install a system with no means to login to a GUI and
configure stuff.

All you need do is install sans user account.



--

Cheers
John

-- spambait
1aaaaaaa@...  Z1aaaaaaa@...
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

--
fedora-test-list mailing list
fedora-test-list@...
To unsubscribe:
https://www.redhat.com/mailman/listinfo/fedora-test-list

Jim wrote:

> FC12/KDE
>
> Were is Konqueror in Root ?
>
> Konqueror can only be run as User.

kdesu konqueror

Or did you mean something else?

-- Rex


--
fedora-test-list mailing list
fedora-test-list@...
To unsubscribe:
https://www.redhat.com/mailman/listinfo/fedora-test-list

John Summerfield wrote:
> Same with gnome. Someone's misguided attempt to secure the system.
> It's dead easy to install a system with no means to login to a GUI
> and configure stuff.
>
> All you need do is install sans user account.

I'd suggest that anyone who sets up a system without any user accounts
_and_ somehow needs a GUI to configure the system _and_ can't manage
to figure out the settings to change so they can login as root should
probably not be pretending to be a competent administrator.

Are there not enough examples from Windows of why it's a terrible idea
to run with full administrator privileges -- especially software like
web browsers?

--
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
And oh, don't you know that I'm always feelin' able
When I'm sittin' home and I'm carving out your navel



--
fedora-test-list mailing list
fedora-test-list@...
To unsubscribe:
https://www.redhat.com/mailman/listinfo/fedora-test-list

>It's dead easy to install a system with no means to login to a GUI and
>configure stuff.

Boot to runlevel 3 and log in as root, then create the account you want
for graphical login ("useradd <worker-id>" and "passwd <worker-id>".

If things are so bad this does not work, boot to runlevel 1 and figure
out what is wrong, or re-install.

--
fedora-test-list mailing list
fedora-test-list@...
To unsubscribe:
https://www.redhat.com/mailman/listinfo/fedora-test-list

On Sun, 2009-11-01 at 07:15 -0500, Richard Ryniker wrote:
> >It's dead easy to install a system with no means to login to a GUI and
> >configure stuff.
>
> Boot to runlevel 3 and log in as root, then create the account you want
> for graphical login ("useradd <worker-id>" and "passwd <worker-id>".
>
> If things are so bad this does not work, boot to runlevel 1 and figure
> out what is wrong, or re-install.

Or hit Ctrl-Alt-F<n> and log in as root from a console.

poc

--
fedora-test-list mailing list
fedora-test-list@...
To unsubscribe:
https://www.redhat.com/mailman/listinfo/fedora-test-list

On 11/01/2009 07:18 AM, Patrick O'Callaghan wrote: I prefer Konqueror, I don't like using the Terminal when I'm showing a
new user how to do something in Linux, it scares them off.

--
fedora-test-list mailing list
fedora-test-list@...
To unsubscribe:
https://www.redhat.com/mailman/listinfo/fedora-test-list

On 11/01/2009 01:26 AM, Todd Zullinger wrote: Look guys, I didn't ask for a Lecture on how to do things your way, I
just ask where is Konqueror in Root.

--
fedora-test-list mailing list
fedora-test-list@...
To unsubscribe:
https://www.redhat.com/mailman/listinfo/fedora-test-list

On 11/01/2009 01:05 AM, Rex Dieter wrote: That is right Rex, but after you type in root password I still can't get
Konqueror.
Even if I login to Root There is still no Konqueror in root.

--
fedora-test-list mailing list
fedora-test-list@...
To unsubscribe:
https://www.redhat.com/mailman/listinfo/fedora-test-list

On Sun, 2009-11-01 at 09:53 -0500, Jim wrote:
If you re-read the thread, you'll see I wasn't addressing your original
post but replying to John Summerfield's comment about not having any way
of logging in as root when no user is configured.

poc

--
fedora-test-list mailing list
fedora-test-list@...
To unsubscribe:
https://www.redhat.com/mailman/listinfo/fedora-test-list

Jim wrote:

Wierd, works here.  Maybe try clearing stuff in root's ~/.kde dir  and/or
/var/tmp/kdecache-root

-- Rex

-- Rex


--
fedora-test-list mailing list
fedora-test-list@...
To unsubscribe:
https://www.redhat.com/mailman/listinfo/fedora-test-list

Rex Dieter wrote:

I just noticed an selinux denial when trying 'kdesu konqueror' on my f12
box, did you see anything selinux related?

-- Rex


--
fedora-test-list mailing list
fedora-test-list@...
To unsubscribe:
https://www.redhat.com/mailman/listinfo/fedora-test-list

On 11/01/2009 12:24 PM, Rex Dieter wrote: Yes I did and it's not related to kdesu konqueror. But it comes up
everytime I try to run kdesu konqueror.

Selinux is preventing the /usr/lib/cups/daemon/cups-driverd
'CLP-610-1200x600CMS2'

And that does not apply to kdesu konqueror at all, it has to do with my
Samsung CLX3175FN print drivers.

I filed a Bug report on it.

--
fedora-test-list mailing list
fedora-test-list@...
To unsubscribe:
https://www.redhat.com/mailman/listinfo/fedora-test-list

> I'd suggest that anyone who sets up a system without any user
>  accounts _and_ somehow needs a GUI to configure the system
>  _and_ can't manage to figure out the settings to change so
>  they can login as root should probably not be pretending to
>  be a competent administrator.

I guess the last part is not correct - he *can* login as root,
but *can not* run Konqueror as root ... that's a difference

oh, and also the original post was not about installing without
ordinary user accounts

well, but this is not the point - the point is, that someone who
supposes he's smarter than the others just disables a possibility
for the others

please, stop protecting other people from themselves - if they
want to risk being hurt, just let them get hurt ...


I've got a usecase - what about using Konqueror to configure CUPS

what is the security difference between doing
$ su -
# konqueror localhost:631

and

$ konqueror localhost:631
<supply root password to konqueror when asked for>

?

in the first case, if the attacker gets in control of Konqueror,
he can do rm -rf / directly; in the latter, he can capture root
password ... which may (or may not) be more valuable


> Are there not enough examples from Windows of why it's a
>  terrible idea to run with full administrator privileges --
>  especially software like web browsers?

I do not think that using Windows as an argument is worth here

and do not forget that Konqueror is also a file browser, not just
web browser (oh, does everyone really has to do "cd /etc; vi
someconfigfile" in the text console?)

K.

--
Karel Volný
QE BaseOs/Daemons Team
Red Hat Czech, Brno
tel. +420 532294274
(RH: +420 532294111 ext. 8262074)
xmpp kavol@...
:: "Never attribute to malice what can
::  easily be explained by stupidity."


--
fedora-test-list mailing list
fedora-test-list@...
To unsubscribe:
https://www.redhat.com/mailman/listinfo/fedora-test-list

On 11/2/2009 8:26 AM, Karel Volný wrote:
You, sir, are advocating one of the major 'stupid Windows users'
arguments for Linux. Run as root.

The point is, I believe, that to disable root is considered a good
thing. Those that disagree with that thought and wish to open their
system that way are free to do so. Those that do not know *how* to do
that probably should *not* do that.

Makes sense to me.


--


  David



--
fedora-test-list mailing list
fedora-test-list@...
To unsubscribe:
https://www.redhat.com/mailman/listinfo/fedora-test-list

On 11/02/2009 08:26 AM, Karel Volný wrote: I went into root and deleted .kde and restarted and it fixed the problem
of running Konqueror in root,
But As far as user doing "kdesu konqueror" that still does not work.
I have to do su - and then run konqueror from terminal and the it comes up.

--
fedora-test-list mailing list
fedora-test-list@...
To unsubscribe:
https://www.redhat.com/mailman/listinfo/fedora-test-list

Todd Zullinger wrote:
> John Summerfield wrote:
>> Same with gnome. Someone's misguided attempt to secure the system.
>> It's dead easy to install a system with no means to login to a GUI
>> and configure stuff.
>>

A note to the original poster, I misread your question, and interpreted
it wrongly. Sorry about that.

>> All you need do is install sans user account.
>
> I'd suggest that anyone who sets up a system without any user accounts
> _and_ somehow needs a GUI to configure the system _and_ can't manage
> to figure out the settings to change so they can login as root should
> probably not be pretending to be a competent administrator.

My security is my responsibility, not my vendor's. The vendor's
responsibility is to provide tools and documentation.

Neither you nor my vendors understand my particular requirements and
circumstances, and lacking that information you are poorly qualified to
judge.

Here are the most relevant RHEL manuals:
http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.4/html/Installation_Guide/index.html
http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.4/html/Deployment_Guide/index.html
  Find where either one describes creating a user account during manua;
(that is, not kickstart) installation.I looked, I don't see it and I
don't recall it,

I've not done a manual install of Fedora for some time, my normal
install for any of the RHL family is by kickstart, and I do normally
create user accounts, add some to wheel and configure sudo so members of
the wheel group can administer using sudo.

In contrast, Debian and Ubuntu insist.

>
> Are there not enough examples from Windows of why it's a terrible idea
> to run with full administrator privileges -- especially software like
> web browsers?

Recommendations I've seen on windows are
1. Use administrative accounts for administration only.
or
2. Use regular accounts, use "run as" to gain elevated privilege when
required. Unfortunately for this advice, Windows Update failed for me on
two systems, so I have it up. My approach is the first.


A well-designed GUI is not to be scorned. It presents the user's choices
and provides guidance in making choices, and can make sure the choices
are sane. Where a change must be reflected in several files, it can take
care of that.

Of course, a TUI could do as well, but last I looked I could not find
any TUI-writing tools to match what I had on MSDOS 3.31 (or OS/2 in DOS
mode) last century.


--

Cheers
John

-- spambait
1aaaaaaa@...  Z1aaaaaaa@...
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

--
fedora-test-list mailing list
fedora-test-list@...
To unsubscribe:
https://www.redhat.com/mailman/listinfo/fedora-test-list

Karel Voln wrote:

>
> $ konqueror localhost:631
> <supply root password to konqueror when asked for>
>
> ?
>
> in the first case, if the attacker gets in control of Konqueror,
> he can do rm -rf / directly; in the latter, he can capture root
> password ... which may (or may not) be more valuable

I don't think much of your example, but in practice if some cracker
tries to "rm -rf /" there's not a lot to choose, on my systems, between
doing it as root and doing it is me. My valuables are  mostly in ~ and
the operating system is way easier to replace than the stuff in ~.

More likely, Ungodly will be looking for my banking details, and i I
allow a browser to store unencrypted account details, being root doesn't
make my situation worsse

However, I think the biggest hazards is through trojans, and if I can
persuade you that you really should give my custom version of Firefox a
burl, I've got you. along with Firefox I could install keyloggers to
record what you type, I I can correlate what you type with where you go,,,,






--

Cheers
John

-- spambait
1aaaaaaa@...  Z1aaaaaaa@...
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

--
fedora-test-list mailing list
fedora-test-list@...
To unsubscribe:
https://www.redhat.com/mailman/listinfo/fedora-test-list

David wrote:

I don't think the people at Red Hat are entirely stupid, though I
disagree with them on some matters and I think that preventing root from
using GUIs is futile and misguided, especially as a good proportion of
the software  must be run with root privilege. Think, RH the
configuration tools run with root privilege. That means all of GTK,
python, perl and X,

RH does not disable the root account, it just prevents it from logging
in to a GUI.

To do the job properly, it should (at least) allow the root account to
be disabled entirely, and insist that if that's done the installer also
creates an account that can be used for administration. Using sudo, not su.

Ubuntu has done that from day one (but not at the user's option) and it
works fine.

Above I refer to "Red Hat" because it was on RHEL-clone that I mas most
recently tripped up. I don't _know_  of any relevant way Fedora differs.



--

Cheers
John

-- spambait
1aaaaaaa@...  Z1aaaaaaa@...
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

--
fedora-test-list mailing list
fedora-test-list@...
To unsubscribe:
https://www.redhat.com/mailman/listinfo/fedora-test-list

On 11/02/2009 09:31 PM, John Summerfield wrote:

> To do the job properly, it should (at least) allow the root account to
> be disabled entirely, and insist that if that's done the installer also
> creates an account that can be used for administration. Using sudo, not su.

Sudo doesn't allow fine grained access. PolicyKit (via pkexec) does,
which is why it is developed and favored by Fedora.

Rahul

--
fedora-test-list mailing list
fedora-test-list@...
To unsubscribe:
https://www.redhat.com/mailman/listinfo/fedora-test-list