Re: Security hole in LXDE?

To: debian-user@lists.debian.org
Subject: Re: Security hole in LXDE?
From: Joe <joe@jretrading.com>
Date: Mon, 27 Feb 2017 11:06:58 +0000
Message-id: <[🔎] 20170227110658.00e7d56c@jresid.jretrading.com>
In-reply-to: <[🔎] 7419461.KfDLPVJcsL@protheus1>
References: <[🔎] 7419461.KfDLPVJcsL@protheus1>

On Mon, 27 Feb 2017 10:19:47 +0100
Hans <hans.ullrich@loop.de> wrote:

> Hi folks,
> 
> on my system /debian-amd64/testing) I can start Synaptic as a normal
> user, just by using the user password. In KDE this is not possible,
> there I need the root password.
> 
> I do not have sudo in use.
> 
> As I do not know, if this is a problem on my system (I have no second
> one to confirm this)., maybe please someone else could check this.
> 
> If I am correct, this is a security hole. If I am wrong, I have to
> recheck my system.
> 
>

Check how synaptic is being started by the menu entry. Typically,
synaptic will be started by /usr/bin/synaptic-pkexec, which uses
policykit to authorise an effective su for a normal user. The executable
synaptic is in /usr/sbin, so will probably not work from a menu.

I've changed the launcher to gksudo synaptic, which gives me explicit
fine control with sudoers.

I suspect what you're seeing is as intended.

-- 
Joe

Reply to:

Follow-Ups:
- Re: Security hole in LXDE?
  - From: Hans <hans.ullrich@loop.de>

References:
- Security hole in LXDE?
  - From: Hans <hans.ullrich@loop.de>

Prev by Date: Re: Security hole in LXDE?
Next by Date: Re: Security hole in LXDE?
Previous by thread: Re: Security hole in LXDE?
Next by thread: Re: Security hole in LXDE?
Index(es):
- Date
- Thread