Re: is it a security problem in Mandrake 9.1???

From: Christopher Nehren (apeiron@comcast.net)
Date: 04/21/03

  • Next message: Jim Geovedi: "Re: alsou.c.txt"
    Date: Mon, 21 Apr 2003 13:10:45 -0400
    From: Christopher Nehren <apeiron@comcast.net>
    To: Navtej Singh <nsbuttar@gawab.com>
    
    
    

    On Mon, 2003-04-21 at 01:14, Navtej Singh wrote:
    > when u are logged on as a normal user.............click on a rpm
    > file that is to be installed.it askes for root
    > password......after installation click on any other rpm that is
    > to be installed and it goes on smoothely without root
    > password..............that is once root authenticates himself
    > with the grpmi he remains authenticated for the whole session??
    >
    > do u think it a security problem??? i suppose though not too
    > serious it a security flaw and should be corrected....

    I'm -assuming- that you're using Mandrake's default GUI (since you never
    mentioned anything concerning a GUI at all, besides things that you need
    a GUI to do), which is KDE. KDE uses a password caching system for their
    su utility (that thing which asks you for root password), kdesu. This
    stores the password for a preset period of time (10 or 20 minutes,
    IIRC), by default, unless you change it. When this password is stored,
    the authenticated user can do -anything- that root could do (remove
    files (e.g. libc.so, ld.so, your kernel), reboot the system, etc., etc.
    ...). GNOME has a similar mechanism (which, if that's what you're using,
    also apparently supports caching from what you've described).

    If you're really worried about security, you should completely disable
    this setting for all but one account, and disable the caching. Or you
    could do an even better job and use the command line, removing the GUI
    tool (which probably has holes anyway) and trusting the much older (i.e.
    mature, robust, secure) routines in su or sudo or the like. Think of the
    GUI authentication methods like a box set in temporary Windows mode --
    the user can do anything they want, including removing files necessary
    for the operation of the system.

    It's not really a security hole in Mandrake, but Mandrake also doesn't
    make it any more secure by providing such a streamlined method for
    potential crackers to obtain full access to your system. Please do some
    reading about user authentication techniques -- and -please- get out of
    the habit of having the GUI do it all for you. Just last week (week
    before?) there was a security hole found in KDE (specifically
    KGhostview, if memory serves). When was the last hole found in su?

    
    



  • Next message: Jim Geovedi: "Re: alsou.c.txt"

    Relevant Pages

    • Re: Root privilege (SOLVED)
      ... I do my best to stay away from gui apps .. ... Sacrificing security at the root level is never the brightest idea around. ... to run privileged for some of its functionalities (eg. install/remove ...
      (Debian-User)
    • Re: Surfing web as root: Dangerous?
      ... Any program you run as root has the ability to mess up your ... Becase any security hole in the browser can comprimise your ...
      (comp.os.linux.misc)
    • RE: Linux hacked
      ... Subject: Linux hacked ... After you boot up into the OS running from CD, ... >> First let me say I'm a security novice. ... >> been unsuccessful in getting root back. ...
      (Security-Basics)
    • Re: Screensaver takes too much time to fade-out...
      ... If you are serious about making your machine secure, ... learn a thing or two about security. ... These logs are mailed to the root user at 3am. ... Setup dovecot and use a local email client to fetch it. ...
      (Fedora)
    • Re: Linux hacked
      ... is to boot your system with a separate ... You can't trust the logs, ... >> First let me say I'm a security novice. ... >> been unsuccessful in getting root back. ...
      (Security-Basics)