Logging into GNOME as root

David Zeuthen davidz at redhat.com
Tue Dec 8 20:42:43 UTC 2009 

Hey,

Despite our efforts, I still see a lot (or at least, more than I want)
of bugs where users log into GNOME as root - typically through stuff
like x11vnc or other sysadmin tools that bypasses gdm. Logging into
GNOME as root is not really the best of ideas - I won't go into details
here - I will just take it as a given that everyone agrees about about
this.

Anyway, one interesting side-effect is that polkit (now) says root is
authorized for anything - so we get interesting bugs like all
user-visible filesystems being automounted - normally this wouldn't
happen because of our current policy is to only allow automounting of
non-system-internal (which currently means only usb, firewire- and
sdio-connected devices + optical discs) without interrupting the user to
ask for his root password.

For example, a typical case is that some person installs Fedora on a
machine connected to a SAN and logs into GNOME as root. Now all the,
say, 5,000 partitions visible from the SAN is automounted. This is
typically not what the person logging in expected - in fact, such
behavior may easily cause data-loss as another initiator on the SAN may
have mounted one or more devices already.

Actually, of course, the real bug GVfs fix is to be less cavalier about
automounting - and that fix is already committed to GVfs and submitted
as an GVfs update for F-12 (only ever automount usb, firewire, sdio,
optical discs). Actually, the astute reader may note that this bugfix
will become important for F-13 as we want users created in the default
desktop OS to have more privileges cf. the "Roles and Policy" mail that
I sent to this list in August 2009.

So there's a couple of things here

 1. Users will still log into GNOME as root no matter how loudly or
    how many times they are told not to do that.

 2. I'm pretty sure the GVfs automounting bug is not unique here - there
    may be other things not working as expected. We should probably
    think about auditing the distro - e.g. we don't want to cause
    data loss even if people do things the OS is not designed for.

 3. We probably need to do an even better job of discouraging
    people logging in as root - I'm thinking we should show
    a dialog explaining why this is bad and also show a red
    background or something. Or maybe refuse to start gnome-session
    altogether.

    Currently (rawhide) I don't get any warnings whatsoever if I log
    into VT1 as root on a machine in run level 3 and type 'startx'. I
    just get a stock GNOME desktop.

    Of course we could just say "don't use startx" but that's not how
    things work (since we still ship startx) and I don't see that
    changing. I don't regard "remove / neuter startx" as a fight worth
    fighting either.

Thanks,
David

More information about the Fedora-desktop-list mailing list