[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    KDE1.1.1 installation advisory
From:       Christian Esken <esken () alpha ! tat ! physik ! uni-tuebingen ! de>
Date:       1999-05-01 18:32:03
[Download RAW message or body]

Hi,

I´m preparing a KDE1.1.1 installation advisory for packagers and
distributors. Please comment on my proposal ASAP, it´s release
time soon. 


Thanks,
  Christian

PS: I´m not subscribed to kde-packager, so please reply to
kde-devel or me personally.

#########################################

This document deals with special KDE installation procedures, and is
targeted especially at KDE packagers and Linux distributors. These
are advised to read trough this document and follow the instructions.

The topics covered are KDE security handling and additional manual
installation guidelines.



A) SECURITY
===========

The "Security" section points out measures how to ensure system security.
KDE needs proper installation to make the security concept work. Four
applications requiring special attendance.



1) kcheckpass
-------------
This is a security helper program, that allows non-SUID programs to
verify the password of the invoking user. It is being used for the
unlocking the KDE screensavers when using the "Lock"-function.


Advisory:
a) Check the access rights of the kcheckpass program. This program
   must only be installed SUID root when the shadow password suite
   is being used on the target system.
b) Distributions using the shadow password system can be made more
   secure by creating a "shadow" group and setting the access rights
   of /etc/shadow and kcheckpass like in the following example:

 -rw-r-----   1 root     shadow        746 Sep  2 21:35 /etc/shadow
 ---x--s--x   1 root     shadow       5532 Mai  1 19:03 /opt/kde/bin/kcheckpass

   Distributors are strongly encouraged to follow this scheme. This
   way, kcheckpass is running under the effective user id of the user
   itself and the effective group "shadow". With this, kcheckpass has only
   one additional right against regular users: The right to read /etc/shadow.
   Attackers won't be able to make wider use of "kcheckpass".



2) kvt
------
kvt, KDE´s old terminal program, needs to be installed SUID root, to be able
to chown the tty to the user starting the kvt. Without the SUID bit turned
on, the tty being used by kvt will be insecure.

Advisory:
Install kvt SUID root




3) konsole + konsole_grantpty
-----------------------------
The new terminal program needs to chown the tty, as any terminal program.
This task can be solved by konsole in two ways:
- If you have Unix98 ptys, konsole does everything by itself.
- If not, there is a small security helper program, called
  konsole_grantpty.

Advisory:
a) konsole: Remove any SUID bit from this executable
b) konsole_grantpty: Install this program SUID root, if you don´t use Unix98 ptys


4) kppp
-------
When setting up a dialup internet connection, KDE´s PPP frontend needs
to setup network routes, make a name server available and so on. For
these tasks, kppp needs root permission.
kppp uses a technique to run with the real user id of the calling user.
For the tasks mentioned it forks off a process that provides the needed
services.

Advisory:
Install kppp SUID root



B) ADDITIONAL INSTALLATION GUIDELINES

konsole comes with a special font, to allow a more pleasant look in
a "Linux console" session. As installing X11 fonts is very dependent
on the target system and might need special postprocessing like
calling mkfontdir, this font does not get installed by default.

It is recommenended to install this font, please see the documentation
in the kdebase package under "kdebase/konsole/README.linux.console" if
you need further help on this topic.

[prev in list] [next in list] [prev in thread] [next in thread]