[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: Re: kdesu overrides user's PATH with hardcoded path
From: Oswald Buddenhagen <ossi () kde ! org>
Date: 2008-09-05 16:27:44
Message-ID: 20080905162744.GA24542 () troll08
[Download RAW message or body]
On Fri, Sep 05, 2008 at 06:09:14AM -0700, Michael Howell wrote:
> > do you know how ridiculously improbable it is that you get a security
> > hole that allows you creating executable files in ~/bin but nothing
> > else?
>
> Break a program that isn't being run as root (e.g. a web browser), you don't
> get root privileges. Conveniently, ~/bin is in the user's home directory. It
> isn't "a security hole that allows you creating executable files in ~/bin
> but nothing else", it's "I want them to run this executable, I'm not
> interested in hosing their ~".
>
this makes no sense. when i break into a user's account, i can fully
control it, including kdesu itself. i.e., su-ing from a compromised
account is inherently insecure and no amount of breaking established
ways to legitimately influence the execution flow will fix the problem.
--
Hi! I'm a .signature virus! Copy me into your ~/.signature, please!
--
Confusion, chaos, panic - my work here is done.
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic