Re: is it a security problem in Mandrake 9.1???

[Ash <ashcrow () phreaker net>]

On Mon, 2003-04-21 at 01:14, Navtej Singh wrote:
> when u are logged on as a normal user.............click on a rpm
> file that is to be installed.it askes for root
> password......after installation click on any other rpm that is
> to be installed and it goes on smoothely without root
> password..............that is once root authenticates himself
> with the grpmi he remains authenticated for the whole session??

Red Hat uses a similar session setup. The best way to think of how it
works is to think of sudo ... where you authenticate once and from then
on are allowed to execute commands without re-authorizing providing it
is the same session. Once the user logs out (or over a period of time)
the authentication session will expire and the user must re-enter the
root password to install software.

> do u think it a security problem??? i suppose though not too
> serious it a security flaw and should be corrected....

I don't think it is a flaw, just a bad set up. The session should time
out after a period of time, but if it doesn't, Mandrake should be
notified of a possible security problem in their implementation.

Cheers,
Ash



---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place.  http://www.securityfocus.com/BlackHat-security-basics 
----------------------------------------------------------------------------