[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#519915: wicd: Needs sudo to handle scripts

CCing -devel, as I'd need some advice on how to properly handle this, as it
might introduce some security issues.

On Mon, 16 Mar 2009 08:29:52 +0100, Julien Valroff wrote:

> Package: wicd
> Version: 1.5.9-4
> Severity: normal
> Hi David,

Hello Julien,

> I have just noticed sudo needs to be installed and configure to be able to
> run /usr/share/wicd/configscript.py

Well, well... I don't see any reference to sudo in that script:

if __name__ == '__main__':
    if os.getuid() != 0:
        print "Root privileges are required to configure scripts.  Exiting."

so, it "just" needs root privileges. Also:

$ grep sudo /usr/share/wicd/*

> wicd should (at least) suggest sudo, and how to set this up should be
> documented somewhere.

I'd rather not use sudo at all for such things.

> I would however prefer not to have to use sudo (maybe it would be possible to
> let members of the netdev group do this without sudo?)

Yes, making it "netdev-compliant" would be best. Yes, I believe it would
require some manual working patching newer upstream releases (I don't think it
would be integrated upstream, but who knows), but it's the best thing to do.

Adding a check to control whether the user is in netdev is easy, and it's easy
changing the permissions of /etc/wicd/*.conf (wicd-daemon.py handles those).
But, I'm seeing some security issues here.

First: those files are root:root 0600. That is done to prevent non-root people
from seeing the encryption keys used for the connections. Now, I was thinking at
making those root:netdev 0660... that obviously has a problem too: in multi-user
environments, people can see other users keys', if they are in the same group.
Is this really an issue, btw?

Second: trying to solve point 1, I thought at making those root:netdev,
chmod'ed 0620 (i.e. rw--w----). Well, useless, since people could always write
anything in those files...

So, how to behave here? I'm clearly out of ideas (ACLs came to mind too, but
AFAIK they're not supported everywhere).
Should I let that script be run only by root? (in this case, I'll write some
documentation ASAP)
Or, is there any other approach I'm missing? (I'm probably lacking advanced
*nix permissions knowledge, I don't really have problems to admit that!...)

Any advice is really really welcome -- introduce security bugs is not a great


 . ''`.  Debian maintainer | http://wiki.debian.org/DavidPaleino
 : :'  : Linuxer #334216 --|-- http://www.hanskalabs.net/
 `. `'`  GPG: 1392B174 ----|---- http://snipr.com/qa_page
   `-   2BAB C625 4E66 E7B8 450A C3E1 E6AA 9017 1392 B174

Attachment: signature.asc
Description: PGP signature

Reply to: