Hi, I'm running SuSe 9.2 and I have a user account in which I run KDE 3.4 CVS HEAD. I have discovered a serious security flaw probably related to a bug in Yast2 system:/ kioslave. If you go to system:/ on Konqueror -> Settings -> Yast2 Modules, and try to change anything, it doesn't asks you for a password , so any user can do modifications the system without having the root password at all. Please check http://bugs.kde.org/show_bug.cgi?id=96146 for more information on this bug.
Greetings,
On Thu, Jan 06, 2005 at 03:35:02PM -0300, Mauricio Bahamonde wrote:
Hi, I'm running SuSe 9.2 and I have a user account in which I run KDE 3.4 CVS HEAD. I have discovered a serious security flaw probably related to a bug in Yast2 system:/ kioslave. If you go to system:/ on Konqueror -> Settings -> Yast2 Modules, and try to change anything, it doesn't asks you for a password , so any user can do modifications the system without having the root password at all. Please check http://bugs.kde.org/show_bug.cgi?id=96146 for more information on this bug.
The please check the bug again, several comments have been added.
Ciao, Marcus
On Thursday 06 January 2005 16:07, Marcus Meissner wrote:
The please check the bug again, several comments have been added.
Ciao, Marcus
Hi, I just read your comment that said: "it might look like if you have root access, but there is nothing that provides an automatic privilege escalation. can you write/change any configuration setting? or is just the GUI active as if in root mode?"
I just tried this and you are correct. I can't change any setting, because it's running as a normal user. However, I guess it should ask for a password anyway, because any operation that requires root access fails.
Greetings,
On Thu, Jan 06, 2005 at 04:20:03PM -0300, Mauricio Bahamonde wrote:
On Thursday 06 January 2005 16:07, Marcus Meissner wrote:
The please check the bug again, several comments have been added.
Ciao, Marcus
Hi, I just read your comment that said: "it might look like if you have root access, but there is nothing that provides an automatic privilege escalation. can you write/change any configuration setting? or is just the GUI active as if in root mode?"
I just tried this and you are correct. I can't change any setting, because it's running as a normal user. However, I guess it should ask for a password anyway, because any operation that requires root access fails.
The RPMs shipped with 9.2 make that clear... Somehow our prefix dialog is not shown with newer KDE RPMs and the system:// URL.
Ciao, Marcus
On Thursday 06 January 2005 16:50, Marcus Meissner wrote:
The RPMs shipped with 9.2 make that clear... Somehow our prefix dialog is not shown with newer KDE RPMs and the system:// URL.
I'm not using Suse KDE Rpms for my daily use (I use compiled kde cvs head), so I think this should be fixed internally on Yast, so every time it's called through the kioslave, it asks for root password. What do you say?
Greetings,
-
Marcus Meissner -
Mauricio Bahamonde