http://bugzilla.suse.com/show_bug.cgi?id=1134131
http://bugzilla.suse.com/show_bug.cgi?id=1134131#c7
--- Comment #7 from Matthias Gerstner ---
So the action com.deepin.pkexec.dde-file-manager is kind of okay. The
com.deepin.pkexec.usb-device-formatter.policy, however, is not. It allows
locally logged in regular users to run /usr/bin/usb-device-formatter without
any authentication.
The usb-device-formatter has the following issues:
- it crashes when called without parameters
- It can be used to determine the existence of arbitrary files, since all
paths can be passed and the error message differentiates between not
existing and not a block device.
- The "removable device" detection isn't working, because it looks for
"rm":"1" in lsblk's JSON output, however the output contains "rm":true. This
was only recently changed in util-linux v2.33.
- When operating on a symlinked block device the application allows to unmount
arbitrary block devices as far as they're not busy.
- The same symlink attack can be used to format arbitrary file systems as long
as they're not busy.
- it reads from users `~/.pam_environment` w/o any protection. It looks like
other PAM applications do that as well. Linking /dev/zero there causes fun
things. This should only be done after dropping privilege to the calling
user and by now following symlinks.
So this program is certainly not fit to be run without root authentication.
--
You are receiving this mail because:
You are on the CC list for the bug.