https://bugzilla.novell.com/show_bug.cgi?id=872276 https://bugzilla.novell.com/show_bug.cgi?id=872276#c0 Summary: libKF5Su5.x86_64: E: permissions-file-setuid-bit (Badness: 10000) /usr/lib64/kde5/libexec/kdesud is packaged with setuid/setgid bits (02755) Classification: openSUSE Product: openSUSE Factory Version: 13.2 Milestone 0 Platform: Other OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: hrvoje.senjan@gmail.com QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.152 Safari/537.36 SUSE/33.0.1750.152 Sebastian, we have another one ;-) (kde4 code is in kdebase4-runtime), kf5 code just got merged into kdesu framework for beta1 (4.98.0) from help: "KDE su uses a daemon, called kdesud. The daemon listens to a UNIX® socket in /tmp for commands. The mode of the socket is 0600 so that only your user id can connect to it. If password keeping is enabled, KDE su executes commands through this daemon. It writes the command and root's password to the socket and the daemon executes the command using su, as describe before. After this, the command and the password are not thrown away. Instead, they are kept for a specified amount of time. This is the timeout value from in the control module. If another request for the same command is coming within this time period, the client does not have to supply the password. To keep hackers who broke into your account from stealing passwords from the daemon (for example, by attaching a debugger), the daemon is installed set-group-id nogroup. " Reproducible: Always -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.