KDE Discover warns against running as root

j4nd3r53n · May 9, 2024, 9:06am

Years back - over a decade ago - I used to run GNOME as my desktop, but then changed to KDE because the GNOME developers started removing configuration options and instroducing restrictions on whether you could log in to the desktop as root. With some 30 years of experience with UNIX and linux, I felt I probably knew more about what I wanted to do on my systems than a bunch of young developers who felt the urge to exert power.

I have been (and still am) very happy with KDE, but since Debian 12:

# uname -r
6.1.0-21-amd64
# plasmashell -v
plasmashell 5.27.5

the automatic updater app, plasma-discover, always starts up with a (pseudo-) error:

This is obviously not about any error; I have considered the situation and based on my experience, decided to be logged in as root. Even if I were to do something stupid and destroy my OS (which I won’t), it is not going to harm anybody else.

My question, then, is: is there an option to turn this warning off, or shall I get rid of the automatic updater and simply run it manually from a terminal, if and when I remember? I understand the value of keeping the system updated, so it would be less safe to not have this facility, but this silly warning irritates me a lot.

ben2talk · May 9, 2024, 11:16am

I think you completely misunderstand the whole concept.

Sure, back in the day running gnome2 on Ubuntu’s Hardy Heron we sould happily fire up Nautilus as a root file browser… but this is a very bad practice. Even back at that time, warnings were introduced to the Nautilus windows saying that it is a dangerous practice.

Your whole post here demonstrates a distinct lack of understanding - it is not nearly as simple as you imagine. There are operating systems which can run KDE as a graphical root login enabled - but you should never need to do that… you leave the system completely open to attack - and any idea of browsing internet that way is frankly ridiculous too.

GUI Desktops and applications should not be run as root. Examples, like Discover, like KDE Partition Manager, like Kate text editor show you how it should be done.

They should be run from the USER, and they request permissions if they are required. Advanced users have absolutely no issue with this - it is mostly noobs who complain that they can’t do this, because they lack understanding about how they should do it and get frustrated.

I used to manage my wallpapers with a root file browser in /usr/share/wallpapers - and I would also then be frustrated when things I deleted would magically re-appear after an update.

For advanced users, the GUI is just fluff anyway - they will do their installations in the terminal… if I were logged in as a root user, I would simply open the terminal and do it there (and I’m not a particularly advanced user, just one with enough experience to know that it’s cleaner and easier that way).

UPDATE;
Given a previous post of yours stating:

I have configured 12 virtual desktops (mostly because it matches my 12 F-keys), and I start several applications, each on its own desktop - like email on the first, browser on the second etc.

I would definitely double down on what I’ve already stated here… email, browsers, all run as root…

j4nd3r53n · May 9, 2024, 12:08pm

I think it is rather bold of you to suggest that I ‘completely misunderstand …’; and you don’t address the question either. That’s OK, we can’t all know everything, but you shouldn’t project your own fears and/or preferred work practices onto others, 'cause you don’t know anything about my environment, my daily work, my … etc etc.

As I mentioned, I have worked across UNIXes (AIX, Solaris, HP-UX, Linuxes, USS, Ultrix, …) for decades and I do by far the most work from the command line. Occasionally I use a browser - without JavaScript and other fluff - and my desktop is there only as a way to organise applications in a simply way. I could use screen in a terminal, I suppose, but that brings with it its own irritating features.

ben2talk · May 9, 2024, 1:13pm

Ok, accepted - but I don’t think it’s something easily disabled.

Herzenschein · May 9, 2024, 3:28pm

No, this is hardcoded. I’m not sure getting rid of the updater will solve your issue since it’s hardcoded directly in Discover, but you can try. Otherwise you probably don’t want to use Discover for this.

Also note that your use case (running the whole session as root) is completely unsupported by KDE.

glowingwire · May 9, 2024, 8:21pm

I’m sure you could recompile it with a patch.

Just find the throwing of the dialog and comment it out.

I am playing with policy kit and sudoers to make sure the user can do what I hope to do.

I knocked out a whole network because I opened a system setting dialog in mandrake or fedora as root… I didn’t even change anything… granted it was gnome/gtk and looking at it funny can change something, but I did not change a setting.

These systems are expected to run as a user, and are certainly not properly hardened against exploits.

have you ever had a filename crash your system? we can craft filenames that mess up your terminal… sending escape codes and such…

Find Key and Peel (sp) pretending to be terrorists talking about the TSA and travel sized toothpaste… The damage would be incalculable.
but in this case it kind of is. Thankfully very few people run it as root, so they bad guys are not going to be doing broad attacks that getcha if you run as root, but, it really is best not to.

Now, if you are running it on an embedded machine without user separation, you’ll probably be compiling it yourself anyway. Qt is used on some next to critical computing areas, like cars, where stuff has to boot in a fraction of a second.

j4nd3r53n · May 10, 2024, 8:08am

hi glowingwire, I like your comments

I have to say, I’m not all-out against advising people to not run as root, just as I don’t hand out the root passwords to the systems I manage; if the smooth running of the IT is my responsibility, then I’m also to blame if things are broken, even if it was somebody else having root access.

However, this isn’t about whether it is sensible not to run as root; it is, to be precious about it, about self-determination. If you use an actual operating system (as opposed to Windows or OSX), then you are expected to be an adult who takes in advice and accepts responsibility, then make your own decision about what you do. After all, in UNIX there isn’t really anything to stop you from doing something destructive, if that is what you need or want, like dd if=/dev/zero of=/dev/sda. Your system, your responsibility, your choice.

I haven’t had a filename crash the system, although you can, with care and attention, make your terminal session freeze. In the past, when we had proper, serial terminals, it was kind of a sport to make up filenames that messed with people, like embedding a backspace, so you couldn’t find a file that was clearly listed on your screen. One of my tricks was to make characters swap places. Memories, glorious memories.

claydoh · May 10, 2024, 3:51pm

This sort of complaint is nothing new, and will never be solved.

Users are of course perfectly free to manage their systems as they see fit, even if other people tell them how it should be done.

But software developers have the exact same freedom. They create code as they see fit, even if people request it work differently.

glowingwire · May 13, 2024, 9:09pm

We can solve the filename thing. It may require dealing with updates for new unicode.

For not warning people when running plasma as root, this seems like a compile time option may actually be acceptable. There may be other user safety things that can get turned off.

I would like there to be more user safety built in by default, and it makes sense to have the option to run it in other ways.

I would like to make a layer between kio and the filesystem that pumps out warnings or errors if someone tries to make a problematic filename.

Then another thing I can do is make a program that scans for bad filenames on newly mounted media, and warns about that.