Security nonsense: KDE Dolphin does not run as root - Fix

Updated: July 7, 2088

Every now and then, I go blithely about my way, when suddenly, I feel this sharp pain in my lower back, slightly below the tailbone. It's a sharp stabbing sensation. It's the sensation of betrayal. The kind of pain you experience when you love the Plasma desktop, you go about extolling its virtues left and right, and then suddenly you discover that you cannot launch the Plasma file manager - Dolphin - as root. W00t.

About a year ago, this restriction was implemented in Plasma because "root was dangerous" [sic] and for a while, you could not launch Dolphin as root or with sudo. This would-be security measure made my rage enzymes spike through the roof. Since, the KDE team has wisely gone back on this change, and starting with KDE Application 18.08 bundle, you can do this again once more. Job well done. Kudos. But what if you're running an older version of Dolphin? This tutorial offers a non-intrusive, stopgap measure for that.

Teaser

First, the OFFICIAL solution

If you have the opportunity to upgrade the Plasma stack to the latest version, the next time you launch Dolphin as root, you will get a warning. This is a very reasonable compromise, and it satisfies the needs of both worlds, users and security people. No screenshots just yet.

Problem (older versions of Dolphin)

If you are using an affected version of the file manager, when you try to run is as root, you will see a warning that says: Executing Dolphin as root is not possible. Rather unnecessary, and you know how I feel about security in general. But that's not the point, although I'd love to rant. Actually, I had to rewrite this entire article from scratch, as it was written while the restriction was still in place, but now that we have the official fix, I had to cut down on a whole lot of anger and ranting.

Root not possible

Anyway, we must remedy this issue. Let us proceed.

Solution

There's already a terrific guide on this topic, over at iwf1.com. The guide shows how to use a different libkdeinit5_dolphin.so library to bypass this problem. You copy the non-affected version of the library - more about where to find one in a moment - over the restricted one under /usr/lib64, and you can then launch Dolphin as root. This method is slightly intrusive, so I want to show you a streamlined way of doing this, with ZERO system changes.

We will use the LD_PRELOAD environment variable option, a magnificent way of preloading system libraries before the ones that the program specifically depends on, as I've shown you in my Busybox & LD_PRELOAD tutorial. This is great because: 1) you can load any which dolphin.so library without touching the system 2) you can have multiple versions of the library available for use 3) this allows you to run both standard and root-enabled dolphin side by side without any issues.

Moreover, we will also use another environment variable, so we have the icon fix - as explained in Liron's tutorial above. First, we need to grab the right version of libkdeinit5_dolphin.so. Now, you can get it from openSUSE repos, because they have not implemented the security change.

Download & extract RPM package

I decided to start with Dolphin 18.XX. I will run this on Kubuntu 18.04 first, which uses Dolphin 17.12, to show you an error, so that you see what to do if you try an incompatible set of Dolphin and shared library versions. Then, we will download the right version that matches our system. Please note I am using an RPM package from openSUSE - and will deploy on a Debian-based (DEB) target - Kubuntu, and also KDE neon, to show you that this works well. Anyway, once you have the package downloaded, extract with rpm2cpio. If this utility is not installed, get it. Then:

mkdir dolphin
cd dolphin
rpm2cpio ../dolphin-<whatever>.rpm | cpio

This will extract the RPM package in the current directory and create a layout like what you'd see if you installed for real. There should be usr, lib64 and maybe several other directories. The libkdeinit5_dolphin.so shared library sits under usr/lib64 (no trailing slash, we're talking relative location).

Run with LD_PRELOAD, attempt 1

Now, we can use LD_PRELOAD to launch Dolphin - but it will use OUR shared lib instead:

LD_PRELOAD=/home/roger/Downloads/dolphin/usr/lib64/libkdeinit5_dolphin.so /usr/bin/dolphin

With the incompatible (new) library, you'll see an error like this:

LD_PRELOAD=/home/roger/Downloads/dolphin/usr/lib64/libkdeinit5_dolphin.so /usr/bin/dolphin
/usr/bin/dolphin: /usr/lib/x86_64-linux-gnu/libQt5Core.so.5: version `Qt_5.11' not found (required by /home/roger/Downloads/dolphin/usr/lib64/libkdeinit5_dolphin.so)

Run with LD_PRELOAD, attempt 1

Since this does not work, we need Dolphin 17.12 for Kubuntu 18.04. Download the rpm again and run:

rpm2cpio ../dolphin-17.12.3-lp150.1.23.x86_64.rpm | cpio -id

And we repeat the command above. It will work well.

LD_PRELOAD=/home/roger/Downloads/dolphin/usr/lib64/libkdeinit5_dolphin.so /usr/bin/dolphin
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
kf5.kio.core: Refilling KProtocolInfoFactory cache in the hope to find "stash"
org.kde.dolphin: Saving view-properties to "/root/.local/share/dolphin/view_properties/global"

But we won't have icons. So we need to declare them in another environment variable.

export XDG_CURRENT_DESKTOP=KDE; LD_PRELOAD=/home/roger/Downloads/dolphin/usr/lib64/libkdeinit5_dolphin.so /usr/bin/dolphin

And this will work majestically:

Dolphin running as root

Conclusion

Here you go. You now have several options. One, upgrade your KDE version, if possible, although this may not be available in some distributions. I am also not sure what Kubuntu LTS will do. Two, you can completely replace the offending library. Three, try using the nifty trick with LD_PRELOAD that does not change the system defaults and allows you to run multiple instances of the file managers and its libraries in parallel. This way, you can use ordinary "secure" Dolphin for day-to-day work, and when you need the root access, you launch with the separate library. Awesome.

I cannot begin to express my disdain for the security drama, in general. It's not just KDE or Linux. It's everything. The notion of "protecting" people against "evil" is disturbing. This is the same like adult content filters, fake news and similar. But then, I am extremely happy that the KDE team is working very hard on making the user experience their primary objective. They are listening, they are adapting, and they are trying to balance difference needs in a pragmatic, elegant way. Sweet. Either way, you have lots of options before you and the tools to be your own boss now. Enjoy.

Cheers.

You may also like: