GNOME Bugzilla – Bug 549389
Show username of windows that don't match uid of pid of metacity
Last modified: 2009-03-06 22:52:47 UTC
I think a great feature enhancement would be to show some extra info in the titlebar of windows if the window's uid is different from Metacity's uid. I see it as in the same vein of Metacity's recent support for showing "(on $HOSTNAME)" in forwarded X11 connections which is extremely useful for me. How it would work: Most of the time, Metacity can see the pid of a window (not always, but those edge cases can be ignored I think since all Gnome apps I've tried so far work). It should be easy enough to tell if the pid of of the window is owned by the same uid that Metacity is owned by (wmctrl -lp can show the pid info). In those cases, Metacity should append '(as $USERNAME)'. This probably wouldn't work across forwarded X connections and for certain legacy X apps, but what it would do is provide a great way to see which running apps (say a Nautilus window or Synaptic) is running "as root" instead of just assuming it's running as the current user.
Created attachment 117451 [details] [review] Show username of windows that don't match uid of pid of metacity This would be a useful feature, and I think we should do it. (It may also solve bug 505157.) I liked it so much I actually implemented it. The only difficult part in the enhancement is getting from a PID to a UID; for reasons which are unclear to me, there's no very portable way to do this. I have added an optional dependency to the GNOME library libgtop, which can do this on any system it exists on. libgtop may not be widely used, and this possibly may upset some downstream people. On the other hand, they can just turn it off again. (Looking over the patch again, I should probably #if out that whole block if not HAVE_GTOP for efficiency, at least at present; I wanted to allow for people to come up with their own ways of doing the translation if necessary.) Review would be nice if anyone's hanging around (it's a fairly simple patch) otherwise I'll commit to trunk and then see how people feel about it.
Also, perhaps UID==0 should have a special message like "(as the administrator)". Do real people even say "root" these days? Do I even know any real people to find out? I should find out.
(In reply to comment #1) You ran into the same problem I did when I was messing around with the source... No true portable way to do this. I think the libgtop method you chose is good, but I'm not a Gnome developer so I can't really say if most other people are going to be okay with it. I was going to use the euid value from /proc/$pid/status and then grab the username from that uid, but I don't have enough experience with the other unixes to know if there would be any hangups there.
(In reply to comment #2) > Also, perhaps UID==0 should have a special message like "(as the > administrator)". Do real people even say "root" these days? Do I even know > any real people to find out? I should find out. > I think just grabbing the username from getpwuid() is really the best method, since it works for more than just UID==0... If a distro wants to change the super user in /etc/passwd from "root" to "admin" or "administrator", I think that should be on them. And what do you mean by "real people"? :-D
Re: comment 2 I think the question should be more phrased "Does any non-Windows user say "administrator" these days?" -- I love this feature idea, thanks for looking at it Thomas! Is it possible to print the user's name? Regardless we'd still want to print the uid to prevent spoofing via same/similar names. Any chance to change some window style if the uid is 0? Like change the title bar color or something? Not sure how possible that would even be, or how to make it effective across multiple themes. Also, is there any way to detect if a window has escalated privileges via sudo or policykit? It'd be nice to be able to quickly find terminals I left running a shell as root in, even if gnome-terminal itself isn't root. Might need some sort of WM hint if one doesn't exist, which would require a spec change.
(In reply to comment #5) > I love this feature idea, thanks for looking at it Thomas! Is it possible to > print the user's name? Regardless we'd still want to print the uid to prevent > spoofing via same/similar names. I think the program itself has full control over this window manager hint already(?) I don't think printing the uid would be very useful. I mean, what malicious use can be gained by a window saying it's running as another user? Even if we print the uid, the program itself could just parse /etc/passwd and change its own title to append (as bob 1234). I think this is more of a convenience feature than anything that that would cause problems if it was "spoofed". Most people don't run programs as alternate users unless they're already a sysadmin. > Any chance to change some window style if the uid is 0? Like change the title > bar color or something? Not sure how possible that would even be, or how to > make it effective across multiple themes. I'd like that too, but as I understand it, changing the theming to support it is a lot bigger than the tiny patch to show (as user) in the title bar, which is why I suggested it separately from bug 505157.
(In reply to comment #3) > I was going to use the euid value from /proc/$pid/status and then grab the > username from that uid, but I don't have enough experience with the other > unixes to know if there would be any hangups there. It would be a lot easier, but it sounds like rather a portability nightmare. (In reply to comment #3) > If a distro wants to change the super user in /etc/passwd from "root" > to "admin" or "administrator", I think that should be on them. This is a good point. (In reply to comment #5) > I think the question should be more phrased "Does any non-Windows user say > "administrator" these days?" Heh. I think Ubuntu use the term in documentation in some places, but the user is still called "root". > I love this feature idea, thanks for looking at it Thomas! Is it possible to > print the user's name? Regardless we'd still want to print the uid to prevent > spoofing via same/similar names. The name, like in gecos? Sure, you can do it with passwd->pw_gecos, but I think that's not entirely portable (and if people wanted to screw you around they could set their name to sixty Ws and make the actual window title unreadable). > Any chance to change some window style if the uid is 0? Like change the title > bar color or something? Not sure how possible that would even be, or how to > make it effective across multiple themes. This is effectively bug 505157, and given what we have here it's certainly not impossible. > Also, is there any way to detect if a window has escalated privileges via sudo > or policykit? It'd be nice to be able to quickly find terminals I left running > a shell as root in, even if gnome-terminal itself isn't root. Might need some > sort of WM hint if one doesn't exist, which would require a spec change. Eh, I suppose it's not impossible, but we'd have to search all the descendants of a window whenever we changed the titles. Doing it with a WM hint would leave us open to spoofing.
*** Bug 505157 has been marked as a duplicate of this bug. ***
*** Bug 574173 has been marked as a duplicate of this bug. ***
Checked in today (with thanks to Riordon). http://svn.gnome.org/viewvc/metacity?rev=4181&view=rev