| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4114937A.1070904@detonation.org> Date: Sat, 07 Aug 2004 10:31:54 +0200 From: Stefan Seifert <nine@...onation.org> To: bugtraq@...urityfocus.com Subject: Re: SuSE Linux K-Menu YAST Control Center Priviledge Escalation Vulnerability Jordan Pilat wrote: >A vulnerability exists in the implementation of >placing the SuSE YAST Control Center in the K Menu. >Normally, one would be required to authenticate as >root before being granted access to the YAST Control >Center. When placing the 'preferences' submenu in >the K Menu (in the 'submenu' section under the >'Menus' tab of the K menu panel preferences), >however, one can not only access, but make changes to >the options in the YAST control center without having >to authenticate as root. > > You can change options, but cannot save them or install software. It will fail silently, or with dubious error messages. I experienced this after upgrading, when I suddenly was not able to change network settings or install new packages when starting the yast modules from the K-menu. I first thought that graphical yast was broken until I realized that it never asked me for a root password. So it's not so much a security bug as just a normal usability bug. It's just useless to start yast without root privileges. Stefan Seifert
Powered by blists - more mailing lists