Security Basics mailing list archives

Re: is it a security problem in Mandrake 9.1???

From: Christopher Nehren <apeiron () comcast net>
Date: Mon, 21 Apr 2003 13:10:45 -0400

On Mon, 2003-04-21 at 01:14, Navtej Singh wrote:

when u are logged on as a normal user.............click on a rpm
file that is to be installed.it askes for root
password......after installation click on any other rpm that is
to be installed and it goes on smoothely without root
password..............that is once root authenticates himself
with the grpmi he remains authenticated for the whole session??

do u think it a security problem??? i suppose though not too
serious it a security flaw and should be corrected....



I'm -assuming- that you're using Mandrake's default GUI (since you never
mentioned anything concerning a GUI at all, besides things that you need
a GUI to do), which is KDE. KDE uses a password caching system for their
su utility (that thing which asks you for root password), kdesu. This
stores the password for a preset period of time (10 or 20 minutes,
IIRC), by default, unless you change it. When this password is stored,
the authenticated user can do -anything- that root could do (remove
files (e.g. libc.so, ld.so, your kernel), reboot the system, etc., etc.
...). GNOME has a similar mechanism (which, if that's what you're using,
also apparently supports caching from what you've described). 

If you're really worried about security, you should completely disable
this setting for all but one account, and disable the caching. Or you
could do an even better job and use the command line, removing the GUI
tool (which probably has holes anyway) and trusting the much older (i.e.
mature, robust, secure) routines in su or sudo or the like. Think of the
GUI authentication methods like a box set in temporary Windows mode --
the user can do anything they want, including removing files necessary
for the operation of the system.

It's not really a security hole in Mandrake, but Mandrake also doesn't
make it any more secure by providing such a streamlined method for
potential crackers to obtain full access to your system. Please do some
reading about user authentication techniques -- and -please- get out of
the habit of having the GUI do it all for you. Just last week (week
before?) there was a security hole found in KDE (specifically
KGhostview, if memory serves). When was the last hole found in su?

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

is it a security problem in Mandrake 9.1??? Navtej Singh (Apr 21)
- Re: is it a security problem in Mandrake 9.1??? Eliran Gonen (Apr 21)
- Re: is it a security problem in Mandrake 9.1??? Christopher Nehren (Apr 21)
- Re: is it a security problem in Mandrake 9.1??? Ash (Apr 21)
- <Possible follow-ups>
- RE: is it a security problem in Mandrake 9.1??? Dan Fiorito (Apr 22)