Version: (using KDE Devel) Installed from: Compiled sources Compiler: gcc (GCC) 3.3.4 (pre 3.3.5 20040809) OS: Linux I run Suse 9.2, and i have a user account where I run KDE CVS HEAD. Everything works fine, but... I was trying the new system:// kioslave, then went to Settings, then Yast Modules, and I noticed that I have root access! It should ask for the root password, but it didn't, so any user can make system modifications through Yast without having the root password at all! I think this is a serious security flaw. Greetings, Mauricio Bahamonde.
As this bug is potentially a security problem, raise the severity to "critical" until somebody can find out if the problem is KDE or Yast. (I am informing the security mailing list.) Have a nice day!
I can't confirm this. I can't create a new user or install software this way. So the modules seem to run with user permissions. Start the kdm configuration through the system kioslave and you'll be asked for a password. Additionally, lauching the YaST modules from the control center is also possible as normal user, but behave the same way, i.e. only with user permissions.
Stefan Nikolaus: I know of 6 suse 9.2 users with the same problem. You have a "System" Icon in your kde 3.4 cvs Head desktop, right? ok, then click on it and go to Yast modules. You will be able to do whatever you want as a normal user, even cook your CPU for dinner!! regards Jorge
I can't, but my system is (based on) SuSE 9.0. Sorry. Are you able to do the same nifty things, if you launch the modules from the control center?
I'm not using SuSE. If I go to 1. system:// 2. click settings -> settings:// 3. choose "System" 4. choose "Login manager" 5. I am asked to enter the root password if 3. choose "Internet and Network" 4. choose "Samba configuration" 5. I am not asked anything, but all the controls are grayed, except for the "Default" = I don't actually know what "Default" means in this config window to check the actual changes - the strange thing is that, clicking default makes the "Apply" button enabled - I haven't tested if something actually changes. It is a bit weird that it doesn't behave consistenly (the 1st case I assume to be the correct behaviour), but apparently it doesn't show any security flows here. Running KDE 3.3.2 (Binary Packages, GCC 3.4.3). Are you sure this isn't a design bug in the YaST module? I've only tested Samba Config and Login Manager which are the only two I know requiring root access.
Minor Update: ... except for the "Default".. = everything is grayed (disabled) except for the buttons at the bottom of the Window: Help, Default, OK & Cancel. Apply is disabled. If I click "Default" button, Apply becomes enabled also.
Yeah, AFAIK nonsuse users don't have this problem. Two posibilities: new system kioslave has unveiled a yast security bug or yast is showing a hidden bug in system kioslave. People at novel/suse might help. Anyone want to mail them. I am to lazy for that. Stefan: yeah,the same if I launch the modules from the control center. cheers jorge
it might look like if you have root access, but there is nothing that provides an automatic privilege escalation. can you write/change any configuration setting? or is just the GUI active as if in root mode? Ciao, Marcus (SUSE Security)
there is nothing running as root. Check with ps
Stephan: You are right. The process is running as the user, and not as root. So, we might assume this is a Yast2 specific bug relating kioslaves? Greetings.
the 9.2 shipping versions has a prefix dialog that makes that clean, this problem appears only to exist with updated KDE packages.
there is no such bug.