Re: Security in GNOME
- From: Lyndon Drake <lyndon stat auckland ac nz>
- To: James Henstridge <james daa com au>
- Cc: "Michael K. Johnson" <johnsonm redhat com>, gnome-list gnome org
- Subject: Re: Security in GNOME
- Date: Fri, 13 Aug 1999 13:19:28 +1200
One possible solution would be to talk to sudo instead of su. sudo only
asks for the user's password (not the root password) which is not such a
problem (though it still gives away some information). It would be nice
to at least have the option to use sudo instead of su, because on some
machines people only have sudo access (without knowing the root password).
On Fri, Aug 13, 1999 at 08:54:34AM +0800, James Henstridge wrote:
> What I was talking about in my last message was the possibility of using
> gsu/consolehelper as a trojan horse for collecting passwords, rather than
> exploiting any buffer overflow or passing invalid data to the setuid part.
> If either of these programs conforms to the user's selected theme then
> someone who has compromised the user's account will be able to collect the
> passwords entered into either of these utilities. They would then be able
> to gain root access later on with the normal su command.
> They could do all this without modifying the actual gsu or consolehelper
> binaries (so rpm --verify will not detect the problem) -- just upload a
> single theme engine shared object and modify one configuration file.
] [Thread Prev