Feature changed by: Thomas Schmidt (digitaltomm) Feature #310058, revision 5 Title: SUDO with sandbox -X integration - openSUSE-11.3: Unconfirmed + openSUSE-11.3: Rejected by Thomas Schmidt (digitaltomm) + reject reason: Not evaluated for 11.3 Priority Requester: Neutral + openSUSE-11.4: Unconfirmed + Priority + Requester: Desirable Requested by: Sławomir Lach (lachu) Partner organization: openSUSE.org Description: Fedora team have developed sandbox -X, a tool allowing to run programs from desktop in sandbox, but still connected to X server. We should integrate this with Sandbox -X to avoid security holes by running some application as another user by sudo. Use Case: - [code] sudo /sbin/yast2 - [/code] Business case (Partner benefit): openSUSE.org: People are often using graphical tools as root on unprivileged user. PolicyKit is still not satisfied. Discussion: #1: Jan Engelhardt (jengelh) (2010-07-03 14:07:57) What exactly are you trying to protect against when su-ing to root anyway? #2: Sławomir Lach (lachu) (2010-07-10 21:13:39) (reply to #1) Sudo doesn't remember X Cookie in default configuration. That was changed in OpenSUSE, but it's insecure. Using Sandbox -X we ensure no connection with current X session is possible and we can working with graphical tool. I don't believe this is necessary, while running application as root. Some times root or other user will change effective userid to example peter UID. -- openSUSE Feature: https://features.opensuse.org/310058