Security Basics mailing list archives
Re: is it a security problem in Mandrake 9.1???
From: Christopher Nehren <apeiron () comcast net>
Date: Mon, 21 Apr 2003 13:10:45 -0400
On Mon, 2003-04-21 at 01:14, Navtej Singh wrote:
when u are logged on as a normal user.............click on a rpm file that is to be installed.it askes for root password......after installation click on any other rpm that is to be installed and it goes on smoothely without root password..............that is once root authenticates himself with the grpmi he remains authenticated for the whole session?? do u think it a security problem??? i suppose though not too serious it a security flaw and should be corrected....
I'm -assuming- that you're using Mandrake's default GUI (since you never mentioned anything concerning a GUI at all, besides things that you need a GUI to do), which is KDE. KDE uses a password caching system for their su utility (that thing which asks you for root password), kdesu. This stores the password for a preset period of time (10 or 20 minutes, IIRC), by default, unless you change it. When this password is stored, the authenticated user can do -anything- that root could do (remove files (e.g. libc.so, ld.so, your kernel), reboot the system, etc., etc. ...). GNOME has a similar mechanism (which, if that's what you're using, also apparently supports caching from what you've described). If you're really worried about security, you should completely disable this setting for all but one account, and disable the caching. Or you could do an even better job and use the command line, removing the GUI tool (which probably has holes anyway) and trusting the much older (i.e. mature, robust, secure) routines in su or sudo or the like. Think of the GUI authentication methods like a box set in temporary Windows mode -- the user can do anything they want, including removing files necessary for the operation of the system. It's not really a security hole in Mandrake, but Mandrake also doesn't make it any more secure by providing such a streamlined method for potential crackers to obtain full access to your system. Please do some reading about user authentication techniques -- and -please- get out of the habit of having the GUI do it all for you. Just last week (week before?) there was a security hole found in KDE (specifically KGhostview, if memory serves). When was the last hole found in su?
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- is it a security problem in Mandrake 9.1??? Navtej Singh (Apr 21)
- Re: is it a security problem in Mandrake 9.1??? Eliran Gonen (Apr 21)
- Re: is it a security problem in Mandrake 9.1??? Christopher Nehren (Apr 21)
- Re: is it a security problem in Mandrake 9.1??? Ash (Apr 21)
- <Possible follow-ups>
- RE: is it a security problem in Mandrake 9.1??? Dan Fiorito (Apr 22)