Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Gustavo Noronha Silva <kov@debian.org>: Bug#454624; Package gksu.
(full text, mbox, link).
Acknowledgement sent to Nicolas <e.conti@gmx.net>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Gustavo Noronha Silva <kov@debian.org>.
(full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: gksu doesn't ask for a password and runs apps as root
Date: Thu, 06 Dec 2007 18:42:04 +0100
Package: gksu
Version: 2.0.0-5
Severity: critical
Tags: security
Justification: root security hole
Hello,
Since today, when I run gksu as a "normal user" (not root), it doesn't ask for
the root password. An empty window opens. Nothing is written inside it, aside
"Do not show that message again" (I'm translating the message to English for
the bug report).
I launched gksu from a shell, still from a "normal user" account :
/usr/bin/gksu -u root /usr/sbin/synaptic
The empty window opens, and here's what is written in the console :
(gksu:6066): Gtk-WARNING **: Failed to set text from markup due to error
parsing markup: Error on line 1 char 35: Invalid UTF-8 encoded text - not valid
'<b><big>Permissions accord\xe9es sans demande de mot de passe</big></b>
Le programme \xab\xa0/usr/sbin/synaptic\xa0\xbb a \xe9t\xe9 lanc\xe9 avec les
privil\xe8ges de l'utilisateur root sans avoir eu \xe0 demander de mot de
passe, en raison de la configuration du m\xe9canisme d'authentification de
votre syst\xe8me.
Il est possible que vous soyez autoris\xe9 \xe0 lancer des programmes
sp\xe9cifiques en tant qu'utilisateur root sans avoir besoin de mot de passe,
ou que le mot de passe soit en cache.
Il ne s'agit pas d'un signalement de probl\xe8me\xa0; il s'agit juste d'un
avertissement pour \xeatre s\xfbr que vous en \xeates conscient.'
The strange \xyz chars are displayed in this bug report as they do appear in the console.
What surprised me is that even if gksu doesn't ask for the root password, I'm
actually able to use synaptic ! I mean not only browing the package, but
install them, remove them, and so on. So, synaptic is ran from the root account
!
So I did a test from a console :
$ whoami
normal_non_root_user
$ su
Mot de passe :
# echo "test" > xyz_test_file.txt
# chmod 600 xyz_test_file.txt
# ls -l xyz_test_file.txt
-rw------- 1 root root 5 2007-12-06 18:39 xyz_test_file.txt
# exit
$ whoami
normal_non_root_user
$ /usr/bin/gksu -u root more xyz_test_file.txt
(gksu:7336): Gtk-WARNING **: Failed to set text from markup due to error
parsing markup: Error on line 1 char 35: Invalid UTF-8 encoded text - not valid
'<b><big>Permissions accord\xe9es sans demande de mot de passe</big></b>
Le programme \xab\xa0more 'xyz_test_file.txt'\xa0\xbb a \xe9t\xe9
lanc\xe9 avec les privil\xe8ges de l'utilisateur root sans avoir eu \xe0
demander de mot de passe, en raison de la configuration du m\xe9canisme
d'authentification de votre syst\xe8me.
Il est possible que vous soyez autoris\xe9 \xe0 lancer des programmes
sp\xe9cifiques en tant qu'utilisateur root sans avoir besoin de mot de passe,
ou que le mot de passe soit en cache.
Il ne s'agit pas d'un signalement de probl\xe8me\xa0; il s'agit juste d'un
avertissement pour \xeatre s\xfbr que vous en \xeates conscient.'
test
As you can see, the word "test" is displayed in the console at the end, while
xyz_test_file.txt perms are 600 and I'm logged as a normal user.
I think there's a major security issue here !!!
Nicolas,
Paris, France.
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.23.9 (SMP w/2 CPU cores)
Locale: LANG=fr_FR, LC_CTYPE=fr_FR (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash
Versions of packages gksu depends on:
ii gnome-keyring 2.20.2-1 GNOME keyring services (daemon and
ii libatk1.0-0 1.20.0-1 The ATK accessibility toolkit
ii libc6 2.7-3 GNU C Library: Shared libraries
ii libcairo2 1.4.10-1.1 The Cairo 2D vector graphics libra
ii libgconf2-4 2.20.1-1 GNOME configuration database syste
ii libgksu2-0 2.0.5-1 library providing su and sudo func
ii libglib2.0-0 2.14.4-2 The GLib library of C routines
ii libgnome-keyring0 2.20.2-1 GNOME keyring services library
ii libgtk2.0-0 2.12.3-1 The GTK+ graphical user interface
ii liborbit2 1:2.14.7-0.1 libraries for ORBit2 - a CORBA ORB
ii libpango1.0-0 1.18.3-1 Layout and rendering of internatio
ii libstartup-notification0 0.9-1 library for program launch feedbac
ii sudo 1.6.9p9-1 Provide limited super user privile
gksu recommends no packages.
-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org, Gustavo Noronha Silva <kov@debian.org>: Bug#454624; Package gksu.
(full text, mbox, link).
Acknowledgement sent to Loïc Minier <lool@dooz.org>:
Extra info received and forwarded to list. Copy sent to Gustavo Noronha Silva <kov@debian.org>.
(full text, mbox, link).
To: Nicolas <e.conti@gmx.net>, 454624@bugs.debian.org
Subject: Re: Bug#454624: gksu doesn't ask for a password and runs apps as
root
Date: Thu, 6 Dec 2007 18:55:27 +0100
On Thu, Dec 06, 2007, Nicolas wrote:
> Since today, when I run gksu as a "normal user" (not root), it doesn't ask for
> the root password. An empty window opens. Nothing is written inside it, aside
> "Do not show that message again" (I'm translating the message to English for
> the bug report).
Do you have sudo? If it's not private, please attach your sudoers
file.
--
Loïc Minier
Information forwarded to debian-bugs-dist@lists.debian.org, Gustavo Noronha Silva <kov@debian.org>: Bug#454624; Package gksu.
(full text, mbox, link).
Acknowledgement sent to Nicolas <e.conti@gmx.net>:
Extra info received and forwarded to list. Copy sent to Gustavo Noronha Silva <kov@debian.org>.
(full text, mbox, link).
Sudo is installed :
# dpkg -l | grep sudo
ii libgksu1.2-0 1.3.8-1
library providing su and sudo functionality
ii libgksu2-0 2.0.5-1
library providing su and sudo functionality
ii sudo 1.6.9p9-1
Provide limited super user privileges to specific users
My /etc/sudoers file is attached.
Nicolas.
On Thu, Dec 06, 2007 at 06:55:27PM +0100, Loïc Minier wrote:
> On Thu, Dec 06, 2007, Nicolas wrote:
> > Since today, when I run gksu as a "normal user" (not root), it doesn't ask for
> > the root password. An empty window opens. Nothing is written inside it, aside
> > "Do not show that message again" (I'm translating the message to English for
> > the bug report).
>
> Do you have sudo? If it's not private, please attach your sudoers
> file.
>
> --
> Loïc Minier
>
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~ BOYCOTT SUSE & NOVELL (C)(TM)(R) MICRO$OFT ~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~ I DO LIKE AND SUPPORT GPL VERSION 3 ~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Information forwarded to debian-bugs-dist@lists.debian.org, Gustavo Noronha Silva <kov@debian.org>: Bug#454624; Package gksu.
(full text, mbox, link).
Acknowledgement sent to Nicolas <e.conti@gmx.net>:
Extra info received and forwarded to list. Copy sent to Gustavo Noronha Silva <kov@debian.org>.
(full text, mbox, link).
Subject: Fwd: Re: Bug#454624: gksu doesn't ask for a password and runs apps
as root
Date: Thu, 6 Dec 2007 19:28:49 +0100
Additionnal test :
$ whoami
<normal_non_root_user>
$ su
Mot de passe :
# whoami
root
# echo "test" > root_test_file
# chmod 600 root_test_file
# ls -l root_test_file
-rw------- 1 root root 5 2007-12-06 19:26 root_test_file
# exit
$ whoami
<normal_non_root_user>
$ more root_test_file
root_test_file: Permission non accordée
And I can do whatever I want on the computer (as the root user) if I use
gksu. :-/
Nicolas,
Paris, France.
----- Forwarded message from Loïc Minier <lool@dooz.org> -----
From: Loïc Minier <lool@dooz.org>
To: Nicolas <e.conti@gmx.net>, 454624@bugs.debian.org
Subject: Re: Bug#454624: gksu doesn't ask for a password and runs apps as
root
Date: Thu, 6 Dec 2007 18:55:27 +0100
On Thu, Dec 06, 2007, Nicolas wrote:
> Since today, when I run gksu as a "normal user" (not root), it doesn't ask for
> the root password. An empty window opens. Nothing is written inside it, aside
> "Do not show that message again" (I'm translating the message to English for
> the bug report).
Do you have sudo? If it's not private, please attach your sudoers
file.
--
Loïc Minier
----- End forwarded message -----
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~ BOYCOTT SUSE & NOVELL (C)(TM)(R) MICRO$OFT ~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~ I DO LIKE AND SUPPORT GPL VERSION 3 ~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Information forwarded to debian-bugs-dist@lists.debian.org, Gustavo Noronha Silva <kov@debian.org>: Bug#454624; Package gksu.
(full text, mbox, link).
Acknowledgement sent to Nicolas <e.conti@gmx.net>:
Extra info received and forwarded to list. Copy sent to Gustavo Noronha Silva <kov@debian.org>.
(full text, mbox, link).
Subject: Re: Bug#454624: Info received (Bug#454624: gksu doesn't ask for a
password and runs apps as root)
Date: Thu, 6 Dec 2007 19:49:43 +0100
Mmmmm... Just rebooted my xx-uptime days computer, and then the gksu
window appears normally.
As regards to the password not requested, perhaps was it in cache ?
Nicolas
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~ BOYCOTT SUSE & NOVELL (C)(TM)(R) MICRO$OFT ~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~ I DO LIKE AND SUPPORT GPL VERSION 3 ~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Information forwarded to debian-bugs-dist@lists.debian.org: Bug#454624; Package gksu.
(full text, mbox, link).
Acknowledgement sent to Gustavo Noronha Silva <kov@debian.org>:
Extra info received and forwarded to list.
(full text, mbox, link).
To: Nicolas <e.conti@gmx.net>, 454624@bugs.debian.org
Subject: Re: Bug#454624: Info received (Bug#454624: gksu doesn't ask for a password and runs apps as root)
Date: Thu, 6 Dec 2007 17:36:37 -0200
On Thu, Dec 06, 2007 at 07:49:43PM +0100, Nicolas wrote:
> Mmmmm... Just rebooted my xx-uptime days computer, and then the gksu
> window appears normally.
> As regards to the password not requested, perhaps was it in cache ?
gksu, when used with the su backend, will have checkboxes to make it
remember the password for the whole session or to store it in the GNOME
Keyring for good. You probably had the password stored for your session,
and the screen that appeared blank was telling you just that: that gksu
was going to run the program without asking for the password.
We have a bug here, indeed: that translation has invalid characters, but
as for the password caching, that seems to be working as intended =).
Thanks!
--
Gustavo Noronha Silva <kov@debian.org>
Debian Developer http://www.debian.org/
Severity set to `normal' from `critical'
Request was from Gustavo Noronha Silva <kov@debian.org>
to control@bugs.debian.org.
(Thu, 06 Dec 2007 19:45:05 GMT) (full text, mbox, link).
Changed Bug title to `french translation of the 'will not ask for password' is broken' from `gksu doesn't ask for a password and runs apps as root'.
Request was from Gustavo Noronha Silva <kov@debian.org>
to control@bugs.debian.org.
(Thu, 06 Dec 2007 19:45:06 GMT) (full text, mbox, link).
Tags removed: security
Request was from Gustavo Noronha Silva <kov@kov.eti.br>
to control@bugs.debian.org.
(Sun, 30 Dec 2007 16:33:06 GMT) (full text, mbox, link).
Bug reassigned from package `gksu' to `libgksu2-0'.
Request was from Gustavo Noronha Silva <kov@kov.eti.br>
to control@bugs.debian.org.
(Sun, 30 Dec 2007 16:36:13 GMT) (full text, mbox, link).
Message sent on to Nicolas <e.conti@gmx.net>:
Bug#454624.
(full text, mbox, link).
Hey,
I am studying this problem and I came to the conclusion that the problem
doesn't lie in the translation. It seems to happen only when you have
LC_CTYPE explicitely defined to some non-utf-8 locale, such as fr_FR.
Can you please try running gksudo with LC_CTYPE unset or set to
fr_FR.UTF-8?
Thanks,
--
Gustavo Noronha <kov@kov.eti.br>
http://kov.eti.br/
Reply sent
to Debian FTP Masters <ftpmaster@ftp-master.debian.org>:
You have taken responsibility.
(Wed, 21 Mar 2018 17:24:00 GMT) (full text, mbox, link).
Notification sent
to Nicolas <e.conti@gmx.net>:
Bug acknowledged by developer.
(Wed, 21 Mar 2018 17:24:00 GMT) (full text, mbox, link).
To: 326626-done@bugs.debian.org,391802-done@bugs.debian.org,415732-done@bugs.debian.org,419672-done@bugs.debian.org,444059-done@bugs.debian.org,444141-done@bugs.debian.org,451801-done@bugs.debian.org,454624-done@bugs.debian.org,520953-done@bugs.debian.org,525875-done@bugs.debian.org,536303-done@bugs.debian.org,564188-done@bugs.debian.org,600365-done@bugs.debian.org,601166-done@bugs.debian.org,641076-done@bugs.debian.org,705389-done@bugs.debian.org,867931-done@bugs.debian.org,885552-done@bugs.debian.org,
Cc: libgksu@packages.debian.org
Subject: Bug#892771: Removed package(s) from unstable
Date: Wed, 21 Mar 2018 17:20:33 +0000
Version: 2.0.13~pre1-9+rm
Dear submitter,
as the package libgksu has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/892771
The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.
Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 19 Apr 2018 07:27:53 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.