[Bug 872276] New: libKF5Su5.x86_64: E: permissions-file-setuid-bit (Badness: 10000) /usr/lib64/kde5/libexec/kdesud is packaged with setuid/setgid bits (02755)
https://bugzilla.novell.com/show_bug.cgi?id=872276 https://bugzilla.novell.com/show_bug.cgi?id=872276#c0 Summary: libKF5Su5.x86_64: E: permissions-file-setuid-bit (Badness: 10000) /usr/lib64/kde5/libexec/kdesud is packaged with setuid/setgid bits (02755) Classification: openSUSE Product: openSUSE Factory Version: 13.2 Milestone 0 Platform: Other OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: hrvoje.senjan@gmail.com QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.152 Safari/537.36 SUSE/33.0.1750.152 Sebastian, we have another one ;-) (kde4 code is in kdebase4-runtime), kf5 code just got merged into kdesu framework for beta1 (4.98.0) from help: "KDE su uses a daemon, called kdesud. The daemon listens to a UNIX® socket in /tmp for commands. The mode of the socket is 0600 so that only your user id can connect to it. If password keeping is enabled, KDE su executes commands through this daemon. It writes the command and root's password to the socket and the daemon executes the command using su, as describe before. After this, the command and the password are not thrown away. Instead, they are kept for a specified amount of time. This is the timeout value from in the control module. If another request for the same command is coming within this time period, the client does not have to supply the password. To keep hackers who broke into your account from stealing passwords from the daemon (for example, by attaching a debugger), the daemon is installed set-group-id nogroup. " Reproducible: Always -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=872276 https://bugzilla.novell.com/show_bug.cgi?id=872276#c Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|libKF5Su5.x86_64: E: |AUDIT-0: libKF5Su5.x86_64: |permissions-file-setuid-bit |E: |(Badness: 10000) |permissions-file-setuid-bit |/usr/lib64/kde5/libexec/kde |(Badness: 10000) |sud is packaged with |/usr/lib64/kde5/libexec/kde |setuid/setgid bits (02755) |sud is packaged with | |setuid/setgid bits (02755) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=872276 https://bugzilla.novell.com/show_bug.cgi?id=872276#c1 Sebastian Krahmer <krahmer@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO CC| |security-team@suse.de InfoProvider| |hrvoje.senjan@gmail.com --- Comment #1 from Sebastian Krahmer <krahmer@suse.com> 2014-04-15 09:29:00 UTC --- Should not be of much problem, as its only g+s nogroup: chgrp nogroup '\${KDESUD_PATH}' && chmod g+s '\${KDESUD_PATH}'\" The peer-id check of the socket still seems there when pwd caching is used. Also see here: https://www.suse.com/support/security/advisories/2001_002_kdesu_txt.html However it needs to be enabled during build, e.g. there must be a string of "socket not owned by me! socket uid =" inside the binary. Then everything should be fine. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=872276 https://bugzilla.novell.com/show_bug.cgi?id=872276#c2 Hrvoje Senjan <hrvoje.senjan@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW CC| |hrvoje.senjan@gmail.com InfoProvider|hrvoje.senjan@gmail.com | --- Comment #2 from Hrvoje Senjan <hrvoje.senjan@gmail.com> 2014-04-16 14:38:55 UTC --- (In reply to comment #1)
However it needs to be enabled during build, e.g. there must be a string of
"socket not owned by me! socket uid ="
inside the binary. Then everything should be fine.
i guess you mean qDebugs in KDEsuClient::connect? they are always enabled (i.e. there's no way to disable them, and they are also not guarded by NDEBUG) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=872276 https://bugzilla.novell.com/show_bug.cgi?id=872276#c3 Sebastian Krahmer <krahmer@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #3 from Sebastian Krahmer <krahmer@suse.com> 2014-04-22 07:50:16 UTC --- fixed -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=872276 https://bugzilla.novell.com/show_bug.cgi?id=872276#c4 --- Comment #4 from Hrvoje Senjan <hrvoje.senjan@gmail.com> 2014-04-22 18:34:55 UTC --- (In reply to comment #3)
fixed
just waiting on updated permissions package =) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=872276 https://bugzilla.novell.com/show_bug.cgi?id=872276#c5 --- Comment #5 from Hrvoje Senjan <hrvoje.senjan@gmail.com> 2014-05-22 00:03:26 UTC --- ping... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=872276 https://bugzilla.novell.com/show_bug.cgi?id=872276#c6 --- Comment #6 from Hrvoje Senjan <hrvoje.senjan@gmail.com> 2014-05-22 00:04:22 UTC --- ah, and the location is now /usr/%_lib/libexec/kf5/kdesud -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=872276 https://bugzilla.novell.com/show_bug.cgi?id=872276#c7 --- Comment #7 from Hrvoje Senjan <hrvoje.senjan@gmail.com> 2014-07-17 05:52:32 UTC --- another ping ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=872276 https://bugzilla.novell.com/show_bug.cgi?id=872276#c8 Hrvoje Senjan <hrvoje.senjan@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED | --- Comment #8 from Hrvoje Senjan <hrvoje.senjan@gmail.com> 2014-07-21 10:26:17 UTC --- re-opening until the whitelist appears -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=872276 https://bugzilla.novell.com/show_bug.cgi?id=872276#c9 --- Comment #9 from Sebastian Krahmer <krahmer@suse.com> 2014-07-21 12:59:34 UTC --- Huh, AFAIK it was already whitelisted. Checking... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=872276 https://bugzilla.novell.com/show_bug.cgi?id=872276#c10 --- Comment #10 from Sebastian Krahmer <krahmer@suse.com> 2014-07-21 13:08:25 UTC --- Ok, new path. Added to permissions package, waiting until new rpm appears. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=872276 https://bugzilla.novell.com/show_bug.cgi?id=872276#c11 Sebastian Krahmer <krahmer@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |FIXED --- Comment #11 from Sebastian Krahmer <krahmer@suse.com> 2014-07-21 13:46:33 UTC --- resolved. If there appear new problems, feel free to reopen again -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=872276 https://bugzilla.novell.com/show_bug.cgi?id=872276#c12 --- Comment #12 from Bernhard Wiedemann <bwiedemann@suse.com> 2014-07-21 17:00:37 CEST --- This is an autogenerated message for OBS integration: This bug (872276) was mentioned in https://build.opensuse.org/request/show/241754 Factory / permissions -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=872276 https://bugzilla.novell.com/show_bug.cgi?id=872276#c13 --- Comment #13 from Bernhard Wiedemann <bwiedemann@suse.com> 2014-07-23 18:00:14 CEST --- This is an autogenerated message for OBS integration: This bug (872276) was mentioned in https://build.opensuse.org/request/show/242030 Factory / permissions -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com