|
Hi Philipp,
Ouch, I should have throught of that possible exploit. I agree, it's not suitable for release as is; in fact, I'll remove the download from the homepage.
What is "polygen"?
Thanks,
--Ole
Quoting "Philipp A. Hartmann" <ph@sorgh.de>:
Hey,
the cronjob script in the cheermeup package contains a serious privilege
escalation bug by sourcing the "user configuration settings" as root user:
# ...
localconfig="$homedir/.config/cheermeup/config"
if [ -f "$localconfig" ]; then
. $localconfig
else
# ...
A local user can therefore execute arbitrary commands as root by simply
putting them to ~/.config/cheermeup/config and wait for the next run.
The package should drop privileges way earlier, e.g. by using ConsoleKit
to determine the currently open user sessions and running a separate
script as the logged-in user(s) to create the cheers.
Secondly, the cronjob sometimes writes stuff to stdout/err and may exit
with a non-zero exit code, e.g. if no (GNOME/Unity) user is currently
logged in, which leads to rather annoying mails to root.
I really like the idea, but this package may need some work (beyond
polygen support requested by Enrico) before being suitable for distribution.
Greetings from Oldenburg, Philipp
--
Ole Wolf
Rødhættevej 4 * 9400 Nørresundby
Telefon: 9632-0108 * Mobil: 2467-5526 * Skype: ole.wolf * SIP: ole.wolf@ekiga.net
|