Docs suggest creating user writable script in home folder run by root?

[jgarvin]

Issue description

In the udev rules section of the docs it mentions that udev needs to qtile in in $PATH and so recommends editing the udev script to make sure it references the qtile install in your home folder.

This lets anyone with write access to the user home folder run arbitrary code as root by changing qtile or any of the python source in $HOME/.local/lib/python3/site-packages. Seems like there should be a way that doesn't require this but still lets people install qtile in their home folder? This looks like a possible target for malware to run code as root without requiring the user to type their password.

Version

0.25.0

Backend

Wayland (experimental)

Config

No response

Logs

No response

Required

• I have searched past issues to see if this bug has already been reported, and it hasn't been.
• I understand that people give their precious time for free, and thus I've done my very best to make this problem as easy as possible to investigate.

[jgarvin]

Looking at https://github.com/qtile/qtile/blob/53f3711866d67d33f38a6e72de37ad857decb1a2/libqtile/scripts/udev.py it seems like the rules file could instead just run chmod and chown on a few files? This would also get rid of the need for people to need to worry about modifying the script to find qtile in $PATH.

[tych0]

Sure, the rules file could do all this stuff itself, but it's another entrypoint to distribute and manage. IMO, if someone can write to your home directory, the game is already over: https://xkcd.com/1200/

I would take a patch that implemented a separate udev rules script, as long as you promise to go pester all the distro packagers as well to include it :)