Big security problem in Nautilus 3.28.1 In my Arch Linux installation with Gnome 3.28, I recently noticed that I can enter with Nautilus in the private directory /root and see the files inside while Nautilus is starte...--prophetes.ai

Big security problem in Nautilus 3.28.1 In my Arch Linux installation with Gnome 3.28, I recently noticed that I can enter with Nautilus in the private directory /root and see the files inside while Nautilus is started without root rights. In addition I can create directories everywhere in the filesystem as a non-root user when I start nautilus like this : > $ nautilus admin:/// How is it possible while Nautilus do not have the root rights ? For the moment, it's a very strange security hole for me...

My problem was caused by an insecure configuration of the sudo system. When I installed my Arch Linux system and to have the hability to execute commands without the root account, I added directly my username in the sudoers file like this :

martin ALL=(ALL) ALL

It worked very well with sudo but not at all with polkit. With this configuration, when I just typed `pkexec` in my shell, it opened a root shell without asking me for any password. But when Nautilus tries to access the `/root` directory, he execute the `pkexec` command. So that I could go in this directory without any password with my normal user account.

To correct the problem, I put my user in the `wheel` group and uncomment this line in the sudoers file

# %wheel ALL=(ALL) ALL

In conclusion, it's not a security breech in Nautilus but an insecure configuration I made...I'm sorry.