Bug#646804: Privilege escalation in cheermeup script

To: Ole Wolf <wolf@blazingangles.com>
Cc: 646804@bugs.debian.org
Subject: Bug#646804: Privilege escalation in cheermeup script
From: "Philipp A. Hartmann" <ph@sorgh.de>
Date: Thu, 27 Oct 2011 21:11:14 +0200
Message-id: <[🔎] 4EA9ACD2.9060107@sorgh.de>
Reply-to: "Philipp A. Hartmann" <ph@sorgh.de>, 646804@bugs.debian.org

Hey,

the cronjob script in the cheermeup package contains a serious privilege
escalation bug by sourcing the "user configuration settings" as root user:

# ...
    localconfig="$homedir/.config/cheermeup/config"
    if [ -f "$localconfig" ]; then
        . $localconfig
    else
# ...

A local user can therefore execute arbitrary commands as root by simply
putting them to ~/.config/cheermeup/config and wait for the next run.

The package should drop privileges way earlier, e.g. by using ConsoleKit
to determine the currently open user sessions and running a separate
script as the logged-in user(s) to create the cheers.

Secondly, the cronjob sometimes writes stuff to stdout/err and may exit
with a non-zero exit code, e.g. if no (GNOME/Unity) user is currently
logged in, which leads to rather annoying mails to root.

I really like the idea, but this package may need some work (beyond
polygen support requested by Enrico) before being suitable for distribution.

Greetings from Oldenburg,
  Philipp

Reply to:

Follow-Ups:
- Bug#646804: Privilege escalation in cheermeup script
  - From: Ole Wolf <ole@naturloven.dk>

Prev by Date: Bug#646804: ITP: cheermeup -- Send affirmative messages to the user via the notification library
Next by Date: Bug#646853: ITP: micromanager -- Microscopy Software
Previous by thread: Processed: affiliatefox-fsfe
Next by thread: Bug#646804: Privilege escalation in cheermeup script
Index(es):
- Date
- Thread