Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: is it a security problem in Mandrake 9.1???

From: "Dan Fiorito" <danf () voyantinc com>
Date: Tue, 22 Apr 2003 09:10:41 -0400
Similar things in windows, when you access an admin share from an ordinary user account it asks for a password, once 
the password is entered the user has access until log off or session timeout. 

        -----Original Message----- 
        From: Ash [mailto:ashcrow () phreaker net] 
        Sent: Mon 4/21/2003 3:59 PM 
        To: Navtej Singh 
        Cc: security-basics () securityfocus com 
        Subject: Re: is it a security problem in Mandrake 9.1???
        
        

        On Mon, 2003-04-21 at 01:14, Navtej Singh wrote:
        > when u are logged on as a normal user.............click on a rpm
        > file that is to be installed.it askes for root
        > password......after installation click on any other rpm that is
        > to be installed and it goes on smoothely without root
        > password..............that is once root authenticates himself
        > with the grpmi he remains authenticated for the whole session??
        
        Red Hat uses a similar session setup. The best way to think of how it
        works is to think of sudo ... where you authenticate once and from then
        on are allowed to execute commands without re-authorizing providing it
        is the same session. Once the user logs out (or over a period of time)
        the authentication session will expire and the user must re-enter the
        root password to install software.
        
        > do u think it a security problem??? i suppose though not too
        > serious it a security flaw and should be corrected....
        
        I don't think it is a flaw, just a bad set up. The session should time
        out after a period of time, but if it doesn't, Mandrake should be
        notified of a possible security problem in their implementation.
        
        Cheers,
        Ash
        
        
        
        ---------------------------------------------------------------------------
        Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
        world's premier event for IT and network security experts.  The two-day
        Training features 6 hand-on courses on May 12-13 taught by professionals. 
        The two-day Briefings on May 14-15 features 24 top speakers with no vendor
        sales pitches.  Deadline for the best rates is April 25.  Register today to
        ensure your place.  http://www.securityfocus.com/BlackHat-security-basics
        ----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: