Debian Bug report logs - #318736
apt-listchanges: Drop privileges before displaying changes

version graph

Package: apt-listchanges; Maintainer for apt-listchanges is Sandro Tosi <morph@debian.org>; Source for apt-listchanges is src:apt-listchanges.

Reported by: Andrew Pollock <apollock@debian.org>

Date: Sun, 17 Jul 2005 11:48:05 UTC

Severity: wishlist

Tags: security

Found in version 2.59-0.2

Done: Matt Zimmerman <mdz@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Matt Zimmerman <mdz@debian.org>:
Bug#318736; Package apt-listchanges. Full text and rfc822 format available.

Acknowledgement sent to Andrew Pollock <apollock@debian.org>:
New Bug report received and forwarded. Copy sent to Matt Zimmerman <mdz@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Andrew Pollock <apollock@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: apt-listchanges: Drop privileges before displaying changes
Date: Sun, 17 Jul 2005 21:44:52 +1000
Package: apt-listchanges
Version: 2.59-0.2
Severity: wishlist
Tags: security

Hi,

It's conceivable that a user may be granted sufficient privileges (with
sudo for example) to be able to install software, without being granted
full root access.

To this end, it is preferable that users can't easily gain root access
by shelling out of privileged applications.

apt-listchanges displays the changelog as root, so if one is using less
as their pager, they can get a root shell by using the ! command in
less. If the changelog is displayed using an xterm, and gnome-terminal
is the user's x-terminal-emulator, they can open another tab and get a
root shell.

If possible, switching to a non-privileged user prior to displaying the
changelog, would prevent giving away full root access.

regards

Andrew

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.9-mppe
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)

Versions of packages apt-listchanges depends on:
ii  apt                           0.5.28.6   Advanced front-end for dpkg
ii  debconf                       1.4.51     Debian configuration management sy
ii  debianutils                   2.14.1     Miscellaneous utilities specific t
ii  python                        2.3.5-2    An interactive high-level object-o
ii  python-apt                    0.5.10     Python interface to libapt-pkg
ii  ucf                           1.18       Update Configuration File: preserv

apt-listchanges recommends no packages.

-- debconf information:
* apt-listchanges/confirm: false
* apt-listchanges/email-address: root
* apt-listchanges/which: both
* apt-listchanges/frontend: xterm-pager
* apt-listchanges/save-seen: true



Information forwarded to debian-bugs-dist@lists.debian.org, Matt Zimmerman <mdz@debian.org>:
Bug#318736; Package apt-listchanges. Full text and rfc822 format available.

Acknowledgement sent to 318736@bugs.debian.org, sf@sfritsch.de:
Extra info received and forwarded to list. Copy sent to Matt Zimmerman <mdz@debian.org>. Full text and rfc822 format available.

Message #10 received at 318736@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: 318736@bugs.debian.org, 318736-submitter@bugs.debian.org
Subject: installing software with sudo
Date: Mon, 3 Oct 2005 12:33:38 +0200
I don't think it is save to grant installation rights via sudo anyway:
If there is a previous version of a conf-file lying around, dpkg will 
ask what to do, including the option to open a shell.



Message sent on to Andrew Pollock <apollock@debian.org>:
Bug#318736. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Matt Zimmerman <mdz@debian.org>:
Bug#318736; Package apt-listchanges. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. Copy sent to Matt Zimmerman <mdz@debian.org>. Full text and rfc822 format available.

Message #18 received at 318736@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: 318736@bugs.debian.org
Subject: or..
Date: Tue, 18 Oct 2005 01:36:46 -0400
[Message part 1 (text/plain, inline)]
Or you can run "DEBIAN_FRONTEND=editor sudo whatever" and wait for a
debconf question, which will run in your favorite editor (or other
program).

The possibilities are probably endless; it wasn't designed to be safe
for untrusted users to access; this bug should be closed.

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Reply sent to Matt Zimmerman <mdz@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Andrew Pollock <apollock@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #23 received at 318736-done@bugs.debian.org (full text, mbox):

From: Matt Zimmerman <mdz@debian.org>
To: Joey Hess <joeyh@debian.org>, 318736-done@bugs.debian.org
Subject: Re: Bug#318736: or..
Date: Tue, 18 Oct 2005 09:47:53 -0700
On Tue, Oct 18, 2005 at 01:36:46AM -0400, Joey Hess wrote:
> Or you can run "DEBIAN_FRONTEND=editor sudo whatever" and wait for a
> debconf question, which will run in your favorite editor (or other
> program).
> 
> The possibilities are probably endless; it wasn't designed to be safe
> for untrusted users to access; this bug should be closed.

Agreed.

-- 
 - mdz



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 18 Jun 2007 00:48:34 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 19:38:40 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.