FS#61431 - [gvfs] admin backend allows to edit root's files without prompting for password
Attached to Project:
Arch Linux
Opened by Jonas Witschel (diabonas) - Wednesday, 16 January 2019, 16:07 GMT
Last edited by Jan Alexander Steffens (heftig) - Thursday, 17 January 2019, 00:54 GMT
Opened by Jonas Witschel (diabonas) - Wednesday, 16 January 2019, 16:07 GMT
Last edited by Jan Alexander Steffens (heftig) - Thursday, 17 January 2019, 00:54 GMT
|
Details
Setting: The current user is in the "wheel" group and
doesn't run a polkit authentication agent, e.g. because they
killed it (it usually runs as the current user) or use a
desktop environment/window manager like i3 which didn't
start one in the first place.
Bug: A command like "gedit admin:///etc/sudoers" allows to edit the sudoers file without prompting for a password. Expected behaviour: Before editing the file, it should ask for the user's password. This was reported upstream as https://gitlab.gnome.org/GNOME/gvfs/issues/355 and fixed by https://gitlab.gnome.org/GNOME/gvfs/merge_requests/31. It was also backported to gvfs 1.38, so building an updated package based on commit e4eec2bc863e85e2b6b47e4d1c3bdd90ab36dc93 (from the branch https://gitlab.gnome.org/GNOME/gvfs/tree/gnome-3-30) will contain the fix. Additional info: * gvfs 1.38.1-1 Steps to reproduce: - Login as a user in the "wheel" group. - Install gvfs and gedit. - Kill your current polkit authentication agent, e.g. /usr/lib/polkit-gnome/polkit-gnome-authentication-agent-1, or use a window manager like i3 which doesn't start one by default. - Run "gedit admin:///etc/sudoers". - Observe that the file is editable without a password prompt. |
This task depends upon
Closed by Jan Alexander Steffens (heftig)
Thursday, 17 January 2019, 00:54 GMT
Reason for closing: Fixed
Additional comments about closing: gvfs 1.38.1+8
Thursday, 17 January 2019, 00:54 GMT
Reason for closing: Fixed
Additional comments about closing: gvfs 1.38.1+8