[Fwd: BoS: serious security hole in KDE Beta 3]

To: linux en roxanne nuclecu unam mx
Subject: [Fwd: BoS: serious security hole in KDE Beta 3]
From: Cuauhtemoc Zamudio Avila <czamudio en enter net mx>
Date: Mon, 16 Feb 1998 09:36:59 -0600
Sender: owner-linux en nuclecu unam mx

Tudor Bosman wrote:
> 
> Hello !
> 
> When using shadow passwords, the K Desktop Environment
> (http://www.kde.org) screen savers require to be setuid root (in order
> to access /etc/shadow).  However, they never drop root privileges...
> 
> When starting, they create the file .kss.pid in the home directory as
> root, following symbolic links.  And ln -s /etc/shadow ~/.kss.pid
> will cause /etc/shadow to be overwritten.
> 
> A short patch:
> 
> diff -c kscreensaver.orig/main.cpp kscreensaver/main.cpp
> *** kscreensaver.orig/main.cpp  Fri Feb  6 19:23:07 1998
> --- kscreensaver/main.cpp       Fri Feb  6 19:30:13 1998
> ***************
> *** 289,294 ****
> --- 289,298 ----
> 
>         initPasswd();
> 
> +       // this makes use of the POSIX saved UIDs feature, available
> +       // in current Linux versions -- tudorb en caltech edu
> +       setuid (getuid ());
> +
>         if ( mode == MODE_INSTALL )
>         {
>          if (!canGetPasswd) {
> 
> --
> Tudor Bosman
> E-mail:  tudorb en its caltech edu   Phone: (626) 683-3813
> Address: Caltech MSC #345, Pasadena, CA 91126-0345, USA

Previo por Fecha: Re: configuracion de sendmail en linux 5
Siguiente por Fecha: Wachen esto, creo que seguimos pa'rriba
Previo por Hilo: Re: configuracion de sendmail en linux 5
Siguiente por Hilo: Wachen esto, creo que seguimos pa'rriba

[Hilos de Discusión] [Fecha] [Tema] [Autor]