Hi Konrad, thanks for the report. Volker forwarded it to the qt-project security mailing list. Feel free to send further security related issues there.
> When I call MaintenanceTool to install another version of Qt it wants to sudo into root when it starts to download Qt components. It still asks for the sudo password if I quit while selecting components! I assume you start a new installer here (not the MaintenanceTool of an existing installation). Is that really during the download, or in the extractio phase? Can you maybe create a bug report and attach the installation log (you can start the installer with --verbose)? > Worse, if I normally have sudo set to NOPASSWD then it does not even ask, it > just switches! This is now tracked in https://bugreports.qt.io/browse/QTIFW-1794 > The temporary directory installerResources has access rights 0557. Other > directories are group-writable. There indeed seems to be an issue in the rights of some directories (though I personally don't have the 0557 rights). Whether this is an IFW or packaging bug needs to be investigated further. Kai ________________________________________ From: Development <development-boun...@qt-project.org> on behalf of Konrad Rosenbaum <kon...@silmor.de> Sent: Thursday, May 21, 2020 9:14 PM To: development@qt-project.org Subject: [Development] MaintenanceTool and/or InstallerFramework horribly insecure? Hi, I thought what the heck, lets update the pre-compiled Qt components on my computer. Apart from making me jump through the Qt Account hoop, I'm not sure whether this is deliberate (nefariously or incompetently) or just broken (please tell me it is a simple bug!): OS: Linux, Debian (testing), amd64 Installation-Directory of Qt: $HOME/Qt of the user running MaintenanceTool MaintenanceTool version: 3.2.2-0-202003121118 When I call MaintenanceTool to install another version of Qt it wants to sudo into root when it starts to download Qt components. It still asks for the sudo password if I quit while selecting components! Worse, if I normally have sudo set to NOPASSWD then it does not even ask, it just switches! The temporary directory installerResources has access rights 0557. Other directories are group-writable. I view those as severe security issues: - the installer (actually no tool whatsoever) should switch to root unless absolutely necessary, to prevent escalation of other security issues - no interactive tool should switch to root without informing the user - the installer must not make any directories or files writable for anyone but the user running that tool - otherwise other users are able to attack by inserting malicious code I have the bad feeling that someone should perform a security audit on MaintenanceTool and installer framework. Konrad _______________________________________________ Development mailing list Development@qt-project.org https://lists.qt-project.org/listinfo/development
