[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: Re: kcontrol and setuid
From: Waldo Bastian <bastian () ens ! ascom ! ch>
Date: 1999-06-23 8:53:22
[Download RAW message or body]
Carlo Robazza wrote:
>
> Hi there,
>
> I am doing some work on kcontrol and I need a bit of help.
>
> When a user runs kcontrol and tries to modify, for example, the
> date they must enter the root password. They can then modify the
> date for the
>
> system. If they then start up another module that requires the
> root password, without having exited kcontrol, they are prompted
> for the root password again. I would like to prevent the user
> from having to enter the root password if they have already done
> that. In other words, if the user has already entered the root
> password, it stays active until kcontrol is closed down.
>
> Any thoughts?
This is a security risk. (Although everyone concerned about security
doesn't use an X application as root in the first place :)
The risk can be minimized if some visual indication is given that
the kcontrol has root privleges (either Unix-wise or because it
knows the root-password). After some time it should forget the
password.
This is too prevent that a user can leave kcontrol running unaware
of the fact that it can be used to compromise the system.
Please be carefull with storing the root-password. If the program
dumps core, the root-password will most likely be in the coredump.
(Thats why programs running suid don't dump core)
Cheers,
Waldo
--
*** *** *** Hi! I'm a .signature virus! *** *** ***
Copy me into your .signature file to help me spread!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic