Summary: | kdesu stopped working in KUbuntu due to sudo's use_pty option | ||
---|---|---|---|
Product: | [Frameworks and Libraries] frameworks-kdesu | Reporter: | gzabdoirv |
Component: | general | Assignee: | Fabian Vogt <fabian> |
Status: | RESOLVED FIXED | ||
Severity: | critical | CC: | a.samirh78, andrius, boaz.dodin, draugr, eeickmeyer, fabian, fratellitech, golgeadada, katyaberezyaka, kubry, nate, p.r.worrall, pallaswept, rikmills, rrsriram, solwilliams, tdhj744ra03u, woshilinmanfu+kde, xmichael, xqqy189, xxasdqwe |
Priority: | VHI | ||
Version: | 5.92.0 | ||
Target Milestone: | --- | ||
Platform: | Ubuntu | ||
OS: | Linux | ||
See Also: | https://bugs.kde.org/show_bug.cgi?id=396767 | ||
Latest Commit: | https://invent.kde.org/frameworks/kdesu/-/commit/70ce587226206cd43122e51ec1220a503e267436 | Version Fixed In: | 5.109 |
Sentry Crash Report: |
Description
gzabdoirv
2022-04-12 03:15:15 UTC
Note that if you are trying to run kdesu partitionmanager it will likely not work as partition manager now runs as unprivileged user and starts a small helper daemon that runs as root and authorization is handled via polkit. So in this case running "partitionmanager" should be sufficient. Multiple password requests in partitionmanager was a bug which is fixed in 22.04.0. We have been noticing this behavior on Ubuntu for a few months, but the blame was being passed to pkexec, not realizing that when, for instance, discover launches software-properties-qt that it uses kdesu to do so. We have an open downstream bug report at https://launchpad.net/bugs/1965439 The daemon is kdesud, which is typically installed in /usr/libexec. (In reply to Ahmad Samir from comment #3) > The daemon is kdesud, which is typically installed in /usr/libexec. That's true on Arch systems, but not Debian/Ubuntu. It's just one way, not the only way. They keyword is "libexec" dir, I know distros have different configurations for the FHS stuff. Confirmed on KDE Neon preliminary 22.04 Jammy builds. Possibly some change in latest pam/sudo found in 22.04 has triggered the issue? To clarify things, does kdesud have the setgid bit set? (In reply to Ahmad Samir from comment #7) > To clarify things, does kdesud have the setgid bit set? No, but this has not been set or required in _any_ previous release for kdesu to work just fine. Furthermore, setting that on a 22.04 system does not in any way change the behaviour or result. kdesu is still borked. kdesu can work without the kdesud daemon, but for it to use the kdesud daemon it must be setgid, that has been the case for a long time... That is clearly not relevant to the case here, as it worked before without, and NOW does not work with OR without Seems to be due (or triggered) by this change in sudo config by debian: https://salsa.debian.org/sudo-team/sudo/-/commit/59db341d46aa4c26b54c1270e69f2562e7f3d751 Now the question is, is this something that KDE wants to fix in kdesu? Or will distros who ship a sudoers config with 'Defaults use_pty' have to exclude that from applying to kdesu? My 2c is this is something that KDE *should* fix in kdesu because it means that kdesu has been taking advantage of an exploit in sudo for years, perhaps decades. Basically, it's the same mechanism that the CVE exploits, and that's not a good thing. To use a security hole for functionality sake, even if unknown at the time, is generally bad practice. *** Bug 454019 has been marked as a duplicate of this bug. *** *** Bug 453004 has been marked as a duplicate of this bug. *** *** Bug 452346 has been marked as a duplicate of this bug. *** The Debian maintainer suggested altering the kdesu package to make kdesu use the workaround: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011624#10 I do not know how bad a security hole that would be. (In reply to Matthew Forrester from comment #17) > The Debian maintainer suggested altering the kdesu package to make kdesu use > the workaround: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011624#10 > > I do not know how bad a security hole that would be. https://salsa.debian.org/sudo-team/sudo/-/commit/59db341d46aa4c26b54c1270e69f2562e7f3d751 sudo (1.9.5p2-3) unstable; urgency=medium We have added "Defaults use_pty" to the default configuration. This fixes CVE-2005-4890 which has been lingering around for more then a decade. If you would like the old behavior back, please remove the respective line from /etc/sudoers. Let me preface this with stating that I am not an expert on security; however I would say that kdesu should not ship a /etc/sudoers.d/kdesu file with "Defaults!/usr/lib/*/libexec/kf5/kdesu_stub !use_pty" (mentioned in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011624#10) to circumvent a sudo setting/option. That sounds like a local hack, you could do it on your own system if you think it doesn't matter, but we can't force it on everyone else's systems. (And if it doesn't matter or not important, why was that setting enabled by default in sudoers in Debian?). I was able to fix or workaround this issue with one command using `xhost` plus either `+` or more specific argument (see last link below). I dont know the consequences of this fix or how it works, but it does. The problem started happening with a recent do-release-upgrade from 20.04 to 22.04. A VM made from a fresh install of 22.04 does not have this problem and the recent kdesu updates for Kate and Dolphin work fine to use root. https://askubuntu.com/questions/1044354/kdesu-not-working https://bugs.kde.org/show_bug.cgi?id=452532 "kdesu stopped working in KUbuntu due to sudo's use_pty option" https://unix.stackexchange.com/questions/557823/centos8-run-gtk-program-under-sudo-privileges-cannot-open-display-0 This is also breaking kdesu and thus YaST, on OpenSuSE. I discovered this when trying to run Yast software management, I'd get a bouncing icon and then nothing. Running the program from the CLI returns the following: > /usr/lib/YaST2/bin/sw_single_wrapper Don't need password!! kf.su: [ /home/abuild/rpmbuild/BUILD/kdesu-5.108.0/src/stubprocess.cpp : 215 ] Unknown request: "ok" I have run kwriteconfig5 --file kdesurc --group super-user-command --key super-user-command sudo so that kdesu will use sudo rather than su, so that sudoers will be respected by KDE. KDE frameworks got an update around the same time as this change rolled out, so the natural thought was that kdesu was broken, but it turns out to be this option. Running echo 'Defaults !use_pty' | sudo tee -a /etc/sudoers and then repeating the above instantly fixes it: > /usr/lib/YaST2/bin/sw_single_wrapper Don't need password!! and the GUI appears and works as intended. This option has been enabled for security reasons and accordingly kdesu needs to be updated to handle the new default behaviour securely, rather than a workaround that amounts to disabling the security measure. BTW, I've cross-referenced these issues to the original issue at sudo's github: https://github.com/sudo-project/sudo/issues/258 Thought someone ought to leave that link here somewhere :) I also just noticed this was reported a year and two months ago. This being a security hole in KDE, perhaps it ought to be bumped up the priority list a little? Please give https://invent.kde.org/frameworks/kdesu/-/merge_requests/30 a try. (In reply to Fabian Vogt from comment #22) > Please give https://invent.kde.org/frameworks/kdesu/-/merge_requests/30 a > try. Thanks for the patch, Fabian! Is there a CI artifact of the binary, or build instructions, so we can try it? The only artifact I saw was a test result. (In reply to pallaswept from comment #23) > (In reply to Fabian Vogt from comment #22) > > Please give https://invent.kde.org/frameworks/kdesu/-/merge_requests/30 a > > try. > > Thanks for the patch, Fabian! > > Is there a CI artifact of the binary, or build instructions, so we can try > it? The only artifact I saw was a test result. Not there, but if you're using openSUSE Tumbleweed you can try the package from https://build.opensuse.org/package/show/home:Vogtinator:kde452532/kdesu (In reply to Fabian Vogt from comment #24) > (In reply to pallaswept from comment #23) > > (In reply to Fabian Vogt from comment #22) > > > Please give https://invent.kde.org/frameworks/kdesu/-/merge_requests/30 a > > > try. > > > > Thanks for the patch, Fabian! > > > > Is there a CI artifact of the binary, or build instructions, so we can try > > it? The only artifact I saw was a test result. > > Not there, but if you're using openSUSE Tumbleweed you can try the package > from https://build.opensuse.org/package/show/home:Vogtinator:kde452532/kdesu I am in fact, but I'm afraid that your repo is only publishing the src package, so I can't actually install from there. (In reply to pallaswept from comment #25) > (In reply to Fabian Vogt from comment #24) > > (In reply to pallaswept from comment #23) > > > (In reply to Fabian Vogt from comment #22) > > > > Please give https://invent.kde.org/frameworks/kdesu/-/merge_requests/30 a > > > > try. > > > > > > Thanks for the patch, Fabian! > > > > > > Is there a CI artifact of the binary, or build instructions, so we can try > > > it? The only artifact I saw was a test result. > > > > Not there, but if you're using openSUSE Tumbleweed you can try the package > > from https://build.opensuse.org/package/show/home:Vogtinator:kde452532/kdesu > > I am in fact, but I'm afraid that your repo is only publishing the src > package, so I can't actually install from there. The binary package is called libKF5Su5, which apparently confuses the Web UI. You can download it manually: https://download.opensuse.org/repositories/home:/Vogtinator:/kde452532/openSUSE_Factory/x86_64/ (In reply to Fabian Vogt from comment #26) > (In reply to pallaswept from comment #25) > > (In reply to Fabian Vogt from comment #24) > > > (In reply to pallaswept from comment #23) > > > > (In reply to Fabian Vogt from comment #22) > > > > > Please give https://invent.kde.org/frameworks/kdesu/-/merge_requests/30 a > > > > > try. > > > > > > > > Thanks for the patch, Fabian! > > > > > > > > Is there a CI artifact of the binary, or build instructions, so we can try > > > > it? The only artifact I saw was a test result. > > > > > > Not there, but if you're using openSUSE Tumbleweed you can try the package > > > from https://build.opensuse.org/package/show/home:Vogtinator:kde452532/kdesu > > > > I am in fact, but I'm afraid that your repo is only publishing the src > > package, so I can't actually install from there. > > The binary package is called libKF5Su5, which apparently confuses the Web > UI. You can download it manually: > https://download.opensuse.org/repositories/home:/Vogtinator:/kde452532/ > openSUSE_Factory/x86_64/ I couldn't figure out from the spec file why it was only showing the src package, as you say I guess the web UI was confused... Thanks for the workaround. Confirmed your patch works, thank you sir! Git commit 732dd812d67c7fa62bd187c1171950ca85259b0b by Fabian Vogt. Committed on 04/08/2023 at 15:04. Pushed by fvogt into branch 'master'. SuProcess: Disable echo in the PTY before starting sudo Recent versions of sudo have use_pty enabled by default, which means that sudo creates a PTY for starting the user process inside after successful authentication. This PTY inherits the configuration of sudo's TTY, but later changes are not transferred. Make sure that echo is already disabled when sudo is started, as disabling it later has no effect on the nested PTY. M +4 -0 src/suprocess.cpp https://invent.kde.org/frameworks/kdesu/-/commit/732dd812d67c7fa62bd187c1171950ca85259b0b Git commit 70ce587226206cd43122e51ec1220a503e267436 by Fabian Vogt. Committed on 04/08/2023 at 15:07. Pushed by fvogt into branch 'kf5'. SuProcess: Disable echo in the PTY before starting sudo Recent versions of sudo have use_pty enabled by default, which means that sudo creates a PTY for starting the user process inside after successful authentication. This PTY inherits the configuration of sudo's TTY, but later changes are not transferred. Make sure that echo is already disabled when sudo is started, as disabling it later has no effect on the nested PTY. (cherry picked from commit 732dd812d67c7fa62bd187c1171950ca85259b0b) M +4 -0 src/suprocess.cpp https://invent.kde.org/frameworks/kdesu/-/commit/70ce587226206cd43122e51ec1220a503e267436 Just post mortem note: this issue in kdesu was originally reported in 2018 (with a hint someday use_pty becomes the default): https://bugs.kde.org/show_bug.cgi?id=396767 for which only action taken was autoclose after 5 years of inactivity :) I laughed a bit seeing it here with critical importance. Nevertheless I'm glad it's finally fixed. Today kdesu 5.109 rolled out of OpenSuSE Tumbleweed's official repos, 109 is the one with the patches, and I can confirm it works, so we can go back to vanilla repos. Thanks again voginator!! |