Fstab Edit

Hi. If you are running KDE you can edit fstab easily with Kate. After amending the mount point, Kate will now automatically request your root password if required by the ownership/directory rights of the target directory in this case /etc/.

Progress is being made... I'll hang on and see what this change actually feels like when it gets here...

In case you're interested: https://phabricator.kde.org/D12795
(The polkit support should be somewhat closer than "on the horizon" now.)

Ahha! Now I know who to thank for pkexec!
and thank you Kubicle for that info.

Nate's "This week in KDE" series is one of my favorite reads on planet.kde.org.

Incidentally, it was Nate's patch that enabled pkexec'ing dolphin back in 18.08 (although it might have been inadvertent, as the main goal was to re-enable dolphin to run on a true root session, where the security effect of blocking dolphin is rather negligible..but it also made pkexec possible), so he is the one to thank for the possibility of running dolphin as root currently (without modifying the source ).

Agreed, I bookmarked it...

Interesting site, that Nate's blog.

@jglen490, I drilled down to the source and found this:

https://pointieststick.com/2020/01/0...dmap-for-2020/

I'm doing the happy dance!

So there seems to be some late breaking news about changes in the KDE landscape coming in 2020. These changes might give some relief to Dolphin users and elevated permissions.

I'm actually an odd duck on that. For simple edits of files that need root access, I've always used Nano and that was never an issue (of which you had outlined why previously). I'm a huge fan of Kate, but when I just need some quicky config edits, I usually default to Nano.

However, I do think, depending on how some programs are launched may not go thru policykit. I can't say for sure, they still might, it's just not readily apparent to me and usually it is apparent (as in pop up window), that's why I'm speculating this.

I always try to approach changes in a way that impacts the user the least. Sure there may still be "teething" problems, but which method involves that the least. It doesn't always work out that way though, sometimes what was originally thought of the least impactful method, may indeed be the opposite. As you said, hindsight is always 20/20.

Absolutely. But apps can have root access (with policykit) without running them as root. We probably all know (by now) how kate can perform write operations with elevated privileges when necessary while running the gui as normal user (no one really complains about the kate workflow anymore). And Gnome has recently added the admin:// gvfs protocol that enables apps like gedit and nautilus to do the same.

So it is was a judgement call for the devs...and different devs made different decisions (there were no strictly right or wrong decisions here). Like I said previously, I probably would have gone with the decision the krusader devs made, but I wouldn't criticize dolphin devs for the decision they made either, there are good strong arguments to support either choice, especially considering the different user bases and the fact that policykit integration is necessary anyway in the future wayland era.

And I honestly believe the dolphin decision might have been different if it was known at the time that it would take 2+ years to get policikyt integration in kio (after all policykit support was finished rather quickly for ktexteditor which kate/kwrite uses), as we know pkexec support was later enabled to restore the root workflows (it needed some changes in the source code to lift the strict restrictions a bit), but hindsight is always perfect.

Currently, AFAIK, the only thing blocking the release of enabled polkit support in dolphin is this: https://phabricator.kde.org/T8075 (so it should be fairly close, and should improve all workflows and add immediate security benefits while also being ready for wayland).

I'm actually in a far smaller minority then that I would imagine. I prefer to run very lean installs and I prefer to use portable programs then traditionally installed programs (be it through the package manager or through a run file or a install script etc). Even when I create my Electron apps, I still build them as AppImages or as binary archive for Win users. But you are correct in your assessment that my systems are single user systems.

I totally agree with your scenario, but that would also be an issue with any GUI program and there are some that I do believe would require root access to do what they needed to do.

Therein lies the core of the problem. Maybe you are among the users that don't have other (unprivileged) users on your systems and never yourself run any software that you haven't examined the source and have built yourself, but I assure you that you are in a very small minority.
Let's say you have a user that has installed something from the internet in their $HOME (or possibly you have done so yourself), that software could run a daemon that listens to the X server waiting for an admin user to come along and run a GUI app as root, and bam, that daemon has root (no input necessary from the admin user, other than the act of starting the gui app as root). That is a real security issue. If you understand that, and make an informed decision to run a gui root app, that's quite fine by me (but most people do not quite grasp that, even when I've tried to explain it to them...at least not the ones who search for the quick instructions, and I can assure you that a warning of "this is dangerous" doesn't quite do it either).

I certainly didn't want to imply that I consider you to be either lazy or ignorant (not that I consider either to be necessarily bad things or mutually exclusive to being smart). And I'm probably one of the laziest people you'll find north of the south pole (and quite ignorant of many things). I meant that the idea that I thought you are promoting: "that all software should be developed so that everyone should be able to do everything with it, without having to learn anything and regardless of security concerns" would mean that software would be catered just to those that are the laziest and/or most ignorant, and I don't think that is in the best interest of anyone, not even those that are lazy and/or ignorant...at least not in the long run.

I've enjoyed following this discussion. For me, the bottom line of this thread, Dolphin having root access rights, is very important to my web design workflow. Now that pkexec is working (in 19.04 anyway), I'm back in the flow.

With respect to the philosophical argument about whether to shield users from potentially dangerous GUI actions or to allow those actions with a simple warning, there is no argument.

Let the user have access.

The warning needs to make it clear where the danger lies, but the user should not be completely blocked, as was the case with Dolphin before someone wrote the pkexec script (thank you).

This whole discussion is very likely to come up again, with other tools. It is the nature of Linux development that we will work through the blockages. I just hope it happens faster than this Dolphin situation because I lost work time=money.

Again, thanks for the very good discussion on the philosophy of software development.

If one runs something in root, that's a risk that they have. If they can't be responsible with it, they have to learn. I see some people that do things that should know better that don't. What was that deal with Apache, a bug that was off by default, then a particular user turned it on to do something and then forgot to turn it off after they were do. I don't blame the devs for that. It was off to begin with. If the devs had left it on from default, that's another story.

Some don't learn from what they do. And if they don't, again that's on them. Sometimes the lesson isn't as apparent.

May be able to change it. Some may not be able to. Again, no agree that's not the devs fault, but let's face it, having the source code out in the open is in theory great, but it is only practically great if one can actually do something with it.

I don't think that's only other alternative out there, but I could be wrong.

Now, I do want to make sure that I'm not thought of as someone that has to be spoon fed, since I'm the major proponent on this. I've got cron jobs that I have to run due to the Wacom cintiq and how the new kernel does x or doesn't do x (and there are very few Cintiq users out there, so there isn't a quick good search for cintiqs specifically).

I don't mind the funky way of something small like getting translucent panels on Breeze Dark when despite all the available options that Plasma has, that isn't there (there may be a good reason for it, I haven't looked too much into that). I'm just point that out.

I don't consider this a security issue compared to something that I can't close off or I didn't have to actively initiate. If it's a zero day or something to where it's on, but should be off or vice versa, those would be security issues.

I think a lot of people assume that it's either one way or the other. If can't/don't want to handle it this way, then you must be one of "those".

I think that's missing out on a user base that just wants to get "stuff" done. Some come to Linux to just install and run and get work done. I don't think there is anything wrong with that, but maybe I'm apart of that lazy/ignorant faction. I would like to think that the 5 hrs that it took for me to come up with 3 lines of code to handle my Cintiq issue would have precluded that (this is just one example) and that eats into my work and getting stuff done, but that just might go into that lazy/ignorant faction. I dunno. Tell me your thoughts on that?

While I don't consider scripting things out the ying yang to be hard core dev work, it does impede working efficiency when the user is just trying to get work done.

I don't like the workflow of Krusader. I'm far more efficient in Dolphin/Nautilus/Nemo then I am in Krusader. I might be doing it wrong, I'm sure I am, but for my workflow, it isn't efficient.

I honestly don't think that at all. This type of exchange is how a learn (for better or for worse). As far as software development for myself, Electron dev work would be my most involved work (I don't consider scripts anything to hollar about in regards as a developer) that I do and I do believe some devs don't even consider that dev work at all. So I may not do any dev work depending on which camp your in.