Your message dated Tue, 18 Oct 2005 09:47:53 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#318736: or..
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 17 Jul 2005 11:44:11 +0000
>From [EMAIL PROTECTED] Sun Jul 17 04:44:11 2005
Return-path: <[EMAIL PROTECTED]>
Received: from dsl-203-113-232-197.act.netspace.net.au (caesar.andrew.net.au)
[203.113.232.197]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1Du7Z5-0000cd-00; Sun, 17 Jul 2005 04:44:11 -0700
Received: from localhost.localdomain ([172.16.1.13])
by caesar.andrew.net.au (8.13.4/8.13.4/Debian-3) with ESMTP id
j6HBiSDZ011326
(version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT);
Sun, 17 Jul 2005 21:44:29 +1000
Received: from apollock by localhost.localdomain with local (Exim 4.50)
id 1Du7Zm-0007q7-4a; Sun, 17 Jul 2005 21:44:54 +1000
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Andrew Pollock <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: apt-listchanges: Drop privileges before displaying changes
X-Mailer: reportbug 3.15
Date: Sun, 17 Jul 2005 21:44:52 +1000
Message-Id: <[EMAIL PROTECTED]>
X-Scanned-By: MIMEDefang 2.51 on 172.16.1.1
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Package: apt-listchanges
Version: 2.59-0.2
Severity: wishlist
Tags: security
Hi,
It's conceivable that a user may be granted sufficient privileges (with
sudo for example) to be able to install software, without being granted
full root access.
To this end, it is preferable that users can't easily gain root access
by shelling out of privileged applications.
apt-listchanges displays the changelog as root, so if one is using less
as their pager, they can get a root shell by using the ! command in
less. If the changelog is displayed using an xterm, and gnome-terminal
is the user's x-terminal-emulator, they can open another tab and get a
root shell.
If possible, switching to a non-privileged user prior to displaying the
changelog, would prevent giving away full root access.
regards
Andrew
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.9-mppe
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Versions of packages apt-listchanges depends on:
ii apt 0.5.28.6 Advanced front-end for dpkg
ii debconf 1.4.51 Debian configuration management sy
ii debianutils 2.14.1 Miscellaneous utilities specific t
ii python 2.3.5-2 An interactive high-level object-o
ii python-apt 0.5.10 Python interface to libapt-pkg
ii ucf 1.18 Update Configuration File: preserv
apt-listchanges recommends no packages.
-- debconf information:
* apt-listchanges/confirm: false
* apt-listchanges/email-address: root
* apt-listchanges/which: both
* apt-listchanges/frontend: xterm-pager
* apt-listchanges/save-seen: true
---------------------------------------
Received: (at 318736-done) by bugs.debian.org; 18 Oct 2005 16:48:26 +0000
>From [EMAIL PROTECTED] Tue Oct 18 09:48:25 2005
Return-path: <[EMAIL PROTECTED]>
Received: from mta10.adelphia.net [68.168.78.202]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1ERudV-0000PQ-00; Tue, 18 Oct 2005 09:48:25 -0700
Received: from mizar.alcor.net ([68.66.78.251]) by mta10.adelphia.net
(InterMail vM.6.01.05.02 201-2131-123-102-20050715) with ESMTP
id <[EMAIL PROTECTED]>;
Tue, 18 Oct 2005 12:47:54 -0400
Received: by mizar.alcor.net (Postfix, from userid 1000)
id E271A3C878; Tue, 18 Oct 2005 09:47:53 -0700 (PDT)
Date: Tue, 18 Oct 2005 09:47:53 -0700
From: Matt Zimmerman <[EMAIL PROTECTED]>
To: Joey Hess <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
Subject: Re: Bug#318736: or..
Message-ID: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[EMAIL PROTECTED]>
User-Agent: Mutt/1.5.9i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
On Tue, Oct 18, 2005 at 01:36:46AM -0400, Joey Hess wrote:
> Or you can run "DEBIAN_FRONTEND=editor sudo whatever" and wait for a
> debconf question, which will run in your favorite editor (or other
> program).
>
> The possibilities are probably endless; it wasn't designed to be safe
> for untrusted users to access; this bug should be closed.
Agreed.
--
- mdz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
