Dear Marc, Le 26/05/2022 à 16:09, Marc Haber a écrit :
On Wed, May 25, 2022 at 01:58:58PM +0100, Rik Mills wrote:The issue can be worked around by adding /etc/sudoers.d/kdesu with the contents Defaults!/usr/lib/*/libexec/kf5/kdesu_stub !use_ptykdesu is cordially invited to ship that file in the package, fixing the issue for everybody. Please add a comment with the reference to this bug report and remove the file once kdesu was fixed upstream.
kdesu is now cordially shipping the file in the package. :-) Would you mind to comment why this is OK from a security perspective ?I’m no security expert at all but if I read the CVE description correctly, the issue is with the su'ed command being able to escape the su user session. Is it OK in this case because kdesu is used to gain root from non-root and so escaping the su session only gives you back the original non-root user rights ?
Thanks, -- Aurélien