[6093] in bugtraq
serious security hole in KDE Beta 3
daemon@ATHENA.MIT.EDU (Tudor Bosman)
Sat Feb 7 16:05:03 1998
Date: Fri, 6 Feb 1998 20:06:52 -0800
Reply-To: Tudor Bosman <tudorb@CCO.CALTECH.EDU>
From: Tudor Bosman <tudorb@CCO.CALTECH.EDU>
To: BUGTRAQ@NETSPACE.ORG
Hello !
When using shadow passwords, the K Desktop Environment
(http://www.kde.org) screen savers require to be setuid root (in order
to access /etc/shadow). However, they never drop root privileges...
When starting, they create the file .kss.pid in the home directory as
root, following symbolic links. And ln -s /etc/shadow ~/.kss.pid
will cause /etc/shadow to be overwritten.
A short patch:
diff -c kscreensaver.orig/main.cpp kscreensaver/main.cpp
*** kscreensaver.orig/main.cpp Fri Feb 6 19:23:07 1998
--- kscreensaver/main.cpp Fri Feb 6 19:30:13 1998
***************
*** 289,294 ****
--- 289,298 ----
initPasswd();
+ // this makes use of the POSIX saved UIDs feature, available
+ // in current Linux versions -- tudorb@caltech.edu
+ setuid (getuid ());
+
if ( mode == MODE_INSTALL )
{
if (!canGetPasswd) {
--
Tudor Bosman
E-mail: tudorb@its.caltech.edu Phone: (626) 683-3813
Address: Caltech MSC #345, Pasadena, CA 91126-0345, USA
