I have attempted to send a private reply to Steve Langasek but , given other replies and incase he doesn't receive private replies here is the content; ======================= Re: Bug#410248: tk-gnutella-0.96.1svn12109-1: Will not start as user, , , executable is set as root, root ... security thoughts say this is wrong. Date: Today 18:17:09 my email removed To: Steve Langasek <[EMAIL PROTECTED]> Hope you don't mind an email reply.
Sorry for the mis-report. Thought it might be the case , hence I didn't change the permissions. However I previously ran it as a non-root user. Unfortunately, I couldn't get the text to attach via reportbug. It seems it also placed it in the tmp directory and due to a restart is lost. I shall try to recap just incase it is a bug. Since updating I can no longer use gtk-gnutella. When attempting to run it via KDE desktop I do not even get the normal mouse or taskbar notifications. In my opinion this normally means a file cannot be found. The KDE Menu Item states gtk-gnutella as the command. It is not in bin or sbin ( didnt expect it here but just following Path variables) but is in /usr/bin . Since I have run it previously as a non-root user and found the permisssions of /usr/bin/gtk-gnutella set as root,root , I considered this both odd and a possible security weakness. Hence my bug report. So I guess the question is ' how was I able to run it as a non-root user before?'. I will of course confirm clearance of this bug or it's reclassification as you see fit, but would also appreciate your comment on the running as non-root dilema. I have not included a full system dump but I am running . Linux debian64 2.6.18-1-amd64 #1 SMP Sat Oct 21 18:36:02 CEST 2006 x86_64 GNU/Linux Running etch updated prefering latest versions via synaptic 0.57.8 Many Thanks.....Paul..... On Friday 09 February 2007 01:30, you wrote: > reassign 410248 gtk-gnutella > found 410248 0.96.1svn12109-1 > tags 410248 -security > thanks > > Please put your bug report in the body of the message, not in the subject. > > On Thu, Feb 08, 2007 at 08:48:10PM +0000, [EMAIL PROTECTED] wrote: > > Package: tk-gnutella-0.96.1svn12109-1 > > Version: 0.96.1svn12109-1 > > Severity: grave > > Tags: security > > Justification: user security hole > > > > Will not start as user, , , > > executable is set as root, root ... security thoughts say this is wrong. > > Um, no. All binaries provided by packages are supposed to be owned by > root. ==================================================== Additional Info the executable does not run as root. As per Grahams post my ls -l gives -rwxr-xr-x 1 root root 2666760 2006-10-16 00:24 gtk-gnutella If this is correct then this may be another KDE bug? Best wishes...Paul
