Security Basics mailing list archives
Re: is it a security problem in Mandrake 9.1???
From: Ash <ashcrow () phreaker net>
Date: 21 Apr 2003 15:59:16 -0400
On Mon, 2003-04-21 at 01:14, Navtej Singh wrote:
when u are logged on as a normal user.............click on a rpm file that is to be installed.it askes for root password......after installation click on any other rpm that is to be installed and it goes on smoothely without root password..............that is once root authenticates himself with the grpmi he remains authenticated for the whole session??
Red Hat uses a similar session setup. The best way to think of how it works is to think of sudo ... where you authenticate once and from then on are allowed to execute commands without re-authorizing providing it is the same session. Once the user logs out (or over a period of time) the authentication session will expire and the user must re-enter the root password to install software.
do u think it a security problem??? i suppose though not too serious it a security flaw and should be corrected....
I don't think it is a flaw, just a bad set up. The session should time out after a period of time, but if it doesn't, Mandrake should be notified of a possible security problem in their implementation. Cheers, Ash --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-security-basics ----------------------------------------------------------------------------
Current thread:
- is it a security problem in Mandrake 9.1??? Navtej Singh (Apr 21)
- Re: is it a security problem in Mandrake 9.1??? Eliran Gonen (Apr 21)
- Re: is it a security problem in Mandrake 9.1??? Christopher Nehren (Apr 21)
- Re: is it a security problem in Mandrake 9.1??? Ash (Apr 21)
- <Possible follow-ups>
- RE: is it a security problem in Mandrake 9.1??? Dan Fiorito (Apr 22)