http://bugzilla.suse.com/show_bug.cgi?id=1090647
http://bugzilla.suse.com/show_bug.cgi?id=1090647#c4
Matthias Gerstner changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |matthias.gerstner@suse.com
--- Comment #4 from Matthias Gerstner ---
I had a look today on Leap15 using the security-scanner. I have put together a
list of interesting files in
https://pes.suse.de/Maintenance-Security/Products/leap15/.
The following findings resulted from this:
- /etc/machine-id is world-writeable which is probably not what was intended.
The reason is found in the systemd spec file:
if [ $1 -eq 1 ]; then
touch %{_sysconfdir}/machine-id
chmod 666 %{_sysconfdir}/machine-id
fi
- Each process started from within the KDE login inherits a couple of open
UNIX domain socket file descriptors. Just open up a konsole and check ls -l
/proc/self/fd. These descriptors are open for read/write. They seem to be
connected to plasmashell process also running as the logged in user. So it
hopefully doesn’t pose a security issue. Anyways, inheriting those file
descriptors to arbitrary user processes does not look like a good idea. But
probably it is some great KDE concept in action that we’re seeing here?
--
You are receiving this mail because:
You are on the CC list for the bug.