Date: Sat, 15 Dec 2001 13:37:01 -0500 (EST) From: Matt Piechota <piechota@argolis.org> To: <Raf_Schietekat@ieee.org> Cc: <FreeBSD-security@FreeBSD.ORG> Subject: Re: kdm grants ordinary users root access on 4.4-R Message-ID: <20011215132828.P59641-100000@cithaeron.argolis.org> In-Reply-To: <3C1B1B10.7000406@skynet.be>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 15 Dec 2001, Raf Schietekat wrote: > No takers? Seems pretty damn serious, though: through kdm, the ordinary > user logs in, gets his home directory all right (hence the result of > "cd" and the restored KDE session), but also gets root privileges. I'll > have to refresh my Unix savvy to see how this relates to set(e)uid() and > stuff, and this evening I may look into the source myself, but I'd > rather some of you would help me out here, because I've also found a > load of stuff GNU C++ won't do for me while porting a software package > from MS VC++ 5.0 (itself several years old!), and I'd rather dedicate my > time to that problem. Strange. My kde2 (or are we talking kde1?) doesn't show this behavior. I have used kcontrol the last day or two, and I have no root owned files in my home. Although that would shock me since my home is nfs mounted without root privs. While kcontrol *does* claim that the user is root, I don't seem to have any rootly power to change things, such as the kdm properties. I thinking kde2 is having problems with the freebsd passwd, although I don't know why. I also haven't figured out why kde won't accept my password to unlock the screen saver, of the root password so I *can* modify the kdm settings as myself. I've been meaning to peek at the code to see why those two bit don't work. As for the lack of response, I suppose that if I were very security conscious, I wouldn't be running kde (or probably X) in the first place. There probably aren't too many people on the list that are running kde. :) -- Matt Piechota To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011215132828.P59641-100000>