Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#61431 - [gvfs] admin backend allows to edit root's files without prompting for password
Attached to Project:
Arch Linux
Opened by Jonas Witschel (diabonas) - Wednesday, 16 January 2019, 16:07 GMT
Last edited by Jan Alexander Steffens (heftig) - Thursday, 17 January 2019, 00:54 GMT
Opened by Jonas Witschel (diabonas) - Wednesday, 16 January 2019, 16:07 GMT
Last edited by Jan Alexander Steffens (heftig) - Thursday, 17 January 2019, 00:54 GMT
|
DetailsSetting: The current user is in the "wheel" group and doesn't run a polkit authentication agent, e.g. because they killed it (it usually runs as the current user) or use a desktop environment/window manager like i3 which didn't start one in the first place.
Bug: A command like "gedit admin:///etc/sudoers"; allows to edit the sudoers file without prompting for a password. Expected behaviour: Before editing the file, it should ask for the user's password. This was reported upstream as https://gitlab.gnome.org/GNOME/gvfs/issues/355 and fixed by https://gitlab.gnome.org/GNOME/gvfs/merge_requests/31. It was also backported to gvfs 1.38, so building an updated package based on commit e4eec2bc863e85e2b6b47e4d1c3bdd90ab36dc93 (from the branch https://gitlab.gnome.org/GNOME/gvfs/tree/gnome-3-30) will contain the fix. Additional info: * gvfs 1.38.1-1 Steps to reproduce: - Login as a user in the "wheel" group. - Install gvfs and gedit. - Kill your current polkit authentication agent, e.g. /usr/lib/polkit-gnome/polkit-gnome-authentication-agent-1, or use a window manager like i3 which doesn't start one by default. - Run "gedit admin:///etc/sudoers";. - Observe that the file is editable without a password prompt. |
This task depends upon
Closed by Jan Alexander Steffens (heftig)
Thursday, 17 January 2019, 00:54 GMT
Reason for closing: Fixed
Additional comments about closing: gvfs 1.38.1+8
Thursday, 17 January 2019, 00:54 GMT
Reason for closing: Fixed
Additional comments about closing: gvfs 1.38.1+8