Re: setuid binary in ktsuss

To: debian-security@lists.debian.org
Subject: Re: setuid binary in ktsuss
From: Hubert Chathi <uhoreg@debian.org>
Date: Sat, 9 Feb 2008 18:06:28 -0500
Message-id: <[🔎] 20080209180628.01bacd87@evinrude.uhoreg.ca>
In-reply-to: <[🔎] 87tzkhbwxh.fsf@windlord.stanford.edu>
References: <[🔎] 1202591134.8252.7.camel@hidalgo> <[🔎] 87tzkhbwxh.fsf@windlord.stanford.edu>

On Sat, 09 Feb 2008 14:13:30 -0800 Russ Allbery <rra@debian.org> wrote:

> Yves-Alexis Perez <corsac@debian.org> writes:
> 
> > I'm about to upload ktsuss to debian, wich is a graphical wrapper
> > around su (much like gksu but without any gnome dependency). One
> > point puzzles me, the ktsuss binary is setuid root (so it can read
> > the root password). gksu doesn't do this (it calls su, I guess).
> 
> I would expect it to use PAM, which uses the setuid unix_chkpwd
                                                      ^^^^^^^^^^^
As long as you're using pam_unix.  It appears that if you use
pam_unix2, you still need to be suid, since pam_unix2 doesn't have its
own suid wrapper [1].  (I don't know what it's like with pam_pwdfile,
etc.)

Now, whether pam_unix2 should use a wrapper or not is the subject of a
different flamewar...

[1] http://bugs.debian.org/295526
    http://bugs.debian.org/362954

> binary. If it's not using PAM, that's probably a bug.
> 


-- 
Hubert Chathi <uhoreg@debian.org> -- Jabber: hubert@uhoreg.ca
PGP/GnuPG key: 1024D/124B61FA         http://www.uhoreg.ca/
Fingerprint: 96C5 012F 5F74 A5F7 1FF7  5291 AF29 C719 124B 61FA

Reply to:

References:
- setuid binary in ktsuss
  - From: Yves-Alexis Perez <corsac@debian.org>
- Re: setuid binary in ktsuss
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: setuid binary in ktsuss
Next by Date: Testers needed: nagios-plugins
Previous by thread: Re: setuid binary in ktsuss
Next by thread: Testers needed: nagios-plugins
Index(es):
- Date
- Thread