Bug 159375

Summary: Permissions on Yast modules (other than main entry one) appear to permit general user access when accessed directly
Product: [openSUSE] SUSE LINUX 10.0 Reporter: Tony Hall <afsh>
Component: YaST2Assignee: Stanislav Visnovsky <visnov>
Status: RESOLVED INVALID QA Contact: Klaus Kämpf <kkaempf>
Severity: Major    
Priority: P5 - None CC: gp, security-team
Version: Final   
Target Milestone: ---   
Hardware: i586   
OS: SuSE Linux 10.0   
Whiteboard:
Found By: Customer Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Tony Hall 2006-03-19 00:37:10 UTC 
(b) Permissions on Yast modules (other than main entry one) appear to permit general user access (rather than being limited to root)when accessed directly (i.e. if the initial module is bypassed). (Not sure if this is really a security issue rather than a bug? Also imagine you would already have received advice, but not have it in the general lists, for obvious reasons. Nevertheless, I thought I should report it).
Problem found when XFMenu was added Xfce panel (subject of pending report (c)). XFMenu picked up all the Yast components (I think it is all of them) as separate items when loading the system menu. In this way it was found that many (almost all?) are directly accessable to the user. This included firewall config, adding groups etc.
Comment 1 Tony Hall 2006-03-19 00:52:59 UTC 
Forgot to mention that the Yast items were included in the "Other" menu list in XFMenu. Thanks.
Comment 2 Tony Hall 2006-03-19 00:57:55 UTC 
Apologies for hassling you again. However should this really be in the global group? I am a bit of a newbie, and probably a bit paranoid, but is advertising this a good idea? Again, apologies and thanks.
Comment 3 Tony Hall 2006-03-19 01:09:26 UTC 
Humblest apologies from the nuisance. I wasn't thinking straight. Users should be aware, that is the point of being open. If it si possible please remove comment #2 and this one. Thanks, and again, apologies.
Comment 4 Michael Gross 2006-03-20 14:08:03 UTC 
In what way is YaST envoked by this menu?

Actually, calling `/sbin/yast2 <module>' starts the modules also with a normal user. Maby we should deny the start of these modules (all but release_notes and media_check), they would not work anyway and there is a chance that one of these modules could actually corrupt something.

Adding the security-Team to CC and reassigning.
Comment 5 Stanislav Visnovsky 2006-03-20 14:14:55 UTC 
This was always the case. The modules that absolutely require root access,
will show a pop up. For others, they behave like read-only and they don't have
only the rights of the user that started the module.
Comment 6 Lukas Ocilka 2006-03-21 07:39:07 UTC 
*** Bug 158483 has been marked as a duplicate of this bug. ***