Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#44310 - [synapse] The run command plugin runs as ROOT without requiring password
Attached to Project:
Community Packages
Opened by Todo ays (entodoays) - Monday, 23 March 2015, 10:03 GMT
Last edited by Doug Newgard (Scimmia) - Friday, 27 March 2015, 12:41 GMT
Opened by Todo ays (entodoays) - Monday, 23 March 2015, 10:03 GMT
Last edited by Doug Newgard (Scimmia) - Friday, 27 March 2015, 12:41 GMT
|
DetailsDescription: The "run command" plugin runs commands as root without requiring password. This is a security issue. Malicious code could be run through this plugin. Why does such a program have root privileges in the first place?
Additional info: * package version(s) * config and/or log files etc. Steps to reproduce: Search for a command requiring sudo privileges but without adding sudo at the beginning (ex. shutdown now. |
This task depends upon
Comment by Doug Newgard (Scimmia) -
Monday, 23 March 2015, 14:58 GMT
shutdown now does not require root if you're logged in to a local session.
Comment by Doug Newgard (Scimmia) -
Thursday, 26 March 2015, 03:47 GMT
Ping? Is there an actual issue here?
Comment by Doug Newgard (Scimmia) -
Friday, 27 March 2015, 12:40 GMT
I just tried running vim and it definitely isn't running as root. With no input from the reported, I'm going to assume he was running commands that don't actually require root.