From owner-freebsd-ports Thu Mar 30 9:30: 7 2000 Delivered-To: freebsd-ports@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id BBE4A37BE49 for ; Thu, 30 Mar 2000 09:30:01 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id JAA53201; Thu, 30 Mar 2000 09:30:01 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from pascal.uol.com.br (pascal.uol.com.br [200.230.198.87]) by hub.freebsd.org (Postfix) with ESMTP id 2C9D137B699 for ; Thu, 30 Mar 2000 09:24:20 -0800 (PST) (envelope-from lioux-alias-ppp-FreeBSD-gnats-submit=freebsd.org@uol.com.br) Received: from bsa-1-as01-7-a47.gd.uol.com.br (bsa-1-as01-7-a47.gd.uol.com.br [200.197.118.47]) by pascal.uol.com.br (8.9.1/8.9.1) with ESMTP id OAA05531 for ; Thu, 30 Mar 2000 14:24:06 -0300 (BRT) Received: (qmail 23376 invoked by uid 1001); 30 Mar 2000 17:19:22 -0000 Message-Id: <20000330171922.23375.qmail@Fedaykin.here> Date: 30 Mar 2000 17:19:22 -0000 From: lioux@uol.com.br Reply-To: lioux@uol.com.br To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: ports/17692: Unaudited SUID root on x11/kdebase11 .kss files, sec hazard? Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 17692 >Category: ports >Synopsis: Unaudited SUID root on x11/kdebase11 .kss files, sec hazard? >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-ports >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Thu Mar 30 09:30:01 PST 2000 >Closed-Date: >Last-Modified: >Originator: Mario Sergio Fujikawa Ferreira >Release: FreeBSD 4.0-STABLE i386 >Organization: >Environment: Probably, all kde 1.1.2 installations on any FBSD version that supports it. >Description: This PR should supersede ports/15541: "KDE screen saver with password protection does not work. Can't get back in." Maybe I can shed same light on this. The aforementioned problem/behavior appeared as soon as the kde port was upgraded to 1.1.2. Then, it was "fixed" with a suid bit root on all .kss (screensaver) files. There is reason I think this PR should be opened: are we sure that suiding all those programs is really both necessary and safe? To get ahold of what I am saying, check: x11/kdebase11. I guess the knight in shiny armor that shares time within both the ports and the security officer groups should take a look at this one. :-) This is a possible security hazard on all KDE 1.1.2 installations. To quote Mr. Ade Lovett, "which should get the attention of both Will and Kris :)" You guys? >How-To-Repeat: Just installing the x11/kdebase11 port should do it. >Fix: n/a >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message