Date: 30 Mar 2000 17:19:22 -0000 From: lioux@uol.com.br To: FreeBSD-gnats-submit@freebsd.org Subject: ports/17692: Unaudited SUID root on x11/kdebase11 .kss files, sec hazard? Message-ID: <20000330171922.23375.qmail@Fedaykin.here>
next in thread | raw e-mail | index | archive | help
>Number: 17692 >Category: ports >Synopsis: Unaudited SUID root on x11/kdebase11 .kss files, sec hazard? >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-ports >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Thu Mar 30 09:30:01 PST 2000 >Closed-Date: >Last-Modified: >Originator: Mario Sergio Fujikawa Ferreira >Release: FreeBSD 4.0-STABLE i386 >Organization: >Environment: Probably, all kde 1.1.2 installations on any FBSD version that supports it. >Description: This PR should supersede ports/15541: "KDE screen saver with password protection does not work. Can't get back in." Maybe I can shed same light on this. The aforementioned problem/behavior appeared as soon as the kde port was upgraded to 1.1.2. Then, it was "fixed" with a suid bit root on all .kss (screensaver) files. There is reason I think this PR should be opened: are we sure that suiding all those programs is really both necessary and safe? To get ahold of what I am saying, check: x11/kdebase11. I guess the knight in shiny armor that shares time within both the ports and the security officer groups should take a look at this one. :-) This is a possible security hazard on all KDE 1.1.2 installations. To quote Mr. Ade Lovett, "which should get the attention of both Will and Kris :)" You guys? >How-To-Repeat: Just installing the x11/kdebase11 port should do it. >Fix: n/a >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000330171922.23375.qmail>