159375 – Permissions on Yast modules (other than main entry one) appear to permit general user access when accessed directly

Bug 159375 - Permissions on Yast modules (other than main entry one) appear to permit general user access when accessed directly

Summary: Permissions on Yast modules (other than main entry one) appear to permit gene...

Status:	RESOLVED INVALID

Alias:	None

Product:	SUSE LINUX 10.0
Classification:	openSUSE
Component:	YaST2 (show other bugs)
Version:	Final
Hardware:	i586 SuSE Linux 10.0

Priority:	P5 - None Severity: Major
Target Milestone:	---
Assignee:	Stanislav Visnovsky
QA Contact:	Klaus Kämpf

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2006-03-19 00:37 UTC by Tony Hall
Modified:	2006-03-21 07:39 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Customer
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tony Hall 2006-03-19 00:37:10 UTC

(b) Permissions on Yast modules (other than main entry one) appear to permit general user access (rather than being limited to root)when accessed directly (i.e. if the initial module is bypassed). (Not sure if this is really a security issue rather than a bug? Also imagine you would already have received advice, but not have it in the general lists, for obvious reasons. Nevertheless, I thought I should report it).
Problem found when XFMenu was added Xfce panel (subject of pending report (c)). XFMenu picked up all the Yast components (I think it is all of them) as separate items when loading the system menu. In this way it was found that many (almost all?) are directly accessable to the user. This included firewall config, adding groups etc.

Comment 1 Tony Hall 2006-03-19 00:52:59 UTC

Forgot to mention that the Yast items were included in the "Other" menu list in XFMenu. Thanks.

Comment 2 Tony Hall 2006-03-19 00:57:55 UTC

Apologies for hassling you again. However should this really be in the global group? I am a bit of a newbie, and probably a bit paranoid, but is advertising this a good idea? Again, apologies and thanks.

Comment 3 Tony Hall 2006-03-19 01:09:26 UTC

Humblest apologies from the nuisance. I wasn't thinking straight. Users should be aware, that is the point of being open. If it si possible please remove comment #2 and this one. Thanks, and again, apologies.

Comment 4 Michael Gross 2006-03-20 14:08:03 UTC

In what way is YaST envoked by this menu?

Actually, calling `/sbin/yast2 <module>' starts the modules also with a normal user. Maby we should deny the start of these modules (all but release_notes and media_check), they would not work anyway and there is a chance that one of these modules could actually corrupt something.

Adding the security-Team to CC and reassigning.

Comment 5 Stanislav Visnovsky 2006-03-20 14:14:55 UTC

This was always the case. The modules that absolutely require root access,
will show a pop up. For others, they behave like read-only and they don't have
only the rights of the user that started the module.

Comment 6 Lukas Ocilka 2006-03-21 07:39:07 UTC

*** Bug 158483 has been marked as a duplicate of this bug. ***