From owner-freebsd-security Sat Dec 15 10:37:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from cithaeron.argolis.org (bgm-66-67-16-161.stny.rr.com [66.67.16.161]) by hub.freebsd.org (Postfix) with ESMTP id 335D837B405 for ; Sat, 15 Dec 2001 10:37:08 -0800 (PST) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.11.6/8.11.4) with ESMTP id fBFIb1i59666; Sat, 15 Dec 2001 13:37:01 -0500 (EST) (envelope-from piechota@argolis.org) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Sat, 15 Dec 2001 13:37:01 -0500 (EST) From: Matt Piechota To: Cc: Subject: Re: kdm grants ordinary users root access on 4.4-R In-Reply-To: <3C1B1B10.7000406@skynet.be> Message-ID: <20011215132828.P59641-100000@cithaeron.argolis.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 15 Dec 2001, Raf Schietekat wrote: > No takers? Seems pretty damn serious, though: through kdm, the ordinary > user logs in, gets his home directory all right (hence the result of > "cd" and the restored KDE session), but also gets root privileges. I'll > have to refresh my Unix savvy to see how this relates to set(e)uid() and > stuff, and this evening I may look into the source myself, but I'd > rather some of you would help me out here, because I've also found a > load of stuff GNU C++ won't do for me while porting a software package > from MS VC++ 5.0 (itself several years old!), and I'd rather dedicate my > time to that problem. Strange. My kde2 (or are we talking kde1?) doesn't show this behavior. I have used kcontrol the last day or two, and I have no root owned files in my home. Although that would shock me since my home is nfs mounted without root privs. While kcontrol *does* claim that the user is root, I don't seem to have any rootly power to change things, such as the kdm properties. I thinking kde2 is having problems with the freebsd passwd, although I don't know why. I also haven't figured out why kde won't accept my password to unlock the screen saver, of the root password so I *can* modify the kdm settings as myself. I've been meaning to peek at the code to see why those two bit don't work. As for the lack of response, I suppose that if I were very security conscious, I wouldn't be running kde (or probably X) in the first place. There probably aren't too many people on the list that are running kde. :) -- Matt Piechota To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message