Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#14572 - Shaman allows any user to install and uninstall packages without the root password.
Attached to Project:
Community Packages
Opened by Gert (naguz) - Monday, 04 May 2009, 09:58 GMT
Last edited by Andrea Scarpino (BaSh) - Monday, 04 May 2009, 20:12 GMT
Opened by Gert (naguz) - Monday, 04 May 2009, 09:58 GMT
Last edited by Andrea Scarpino (BaSh) - Monday, 04 May 2009, 20:12 GMT
|
DetailsDescription:
Any unprivileged user can, by editing a config file in his/hers own home folder, install and uninstall any package with shaman, as well as using all other functions shaman provides. Membership in wheel group or anything else is not required. Additional info: * package version(s): Shaman 1.0.9 (r 916) * config and/or log files etc. ~/.config/shaman/shaman.conf Steps to reproduce: 1: Install shaman 2: edit the shaman.conf file as described: Simply add the two lines [auth] askforpwd=false to your users "shaman.conf" (~/.config/shaman/shaman.conf) file. 3: (Un)install what you like An example of how this can be used to open a root shell is described in post #30 here: http://bbs.archlinux.org/viewtopic.php?id=64066&p=2 The bug is reported upstream (http://chakra-project.org/bugs/showreport.php?bugid=147). I felt, however, that this is critical enough to warrant a post here. IMHO this package should not be provided as-is, at least not without a big fat warning. As for wether this is a bug or a feature, drf suggests in this thread (http://bbs.archlinux.org/viewtopic.php?id=64066 same as above) that this behaviour is intended. IMHO, this is an example of where being intended, does not mean it is not a bug. This could very easily be fixed by storing users allowed to run shaman without entering the root password in a config file somewhere else, only writable by root. Why the choice has been made to store such a thing in the users own home folder, editable by him or herself is beyond me. Some copypasta from the bugreport at Chakra: [auth] askforpwd=false to the users shaman.conf-file (~./config/shaman/shaman.conf) The next time shaman is run, it checks the config file, and if the askforpwd value is set to false, it grants itself root privileges (with some nifty setuuid root-thingy, I imagine) This works fine, except for the fact that any user can add the lines [auth] askforpwd=false to his own shaman.conf file, without ever entering the root password in shaman. The next time shaman is run, it checks the config file, and if the askforpwd value is set to false, it grants itself root privileges - even though the user has never entered (or even known) the root password. I am sorry if this should not have been marked as a bug, or not posted here even if it is, and for any not-well-written sentences causing confusion as to what I'm trying to say. The next version of shaman will use policykit and not be subject to this security hole, but I must argue that this package should not be provided with such a security hole in it in the meantime, and so a bug report was indeed called for. |
This task depends upon
<bash> why this is still open? http://chakra-project.org/bugs/showreport.php?bugid=147
<boom1992> dunno, because noone fixed it m aybe ;)
<boom1992> next major version has a fix anyway
<boom1992> via policykit ;)