>
>
> *********** REPLY SEPARATOR ***********
>
> On 24/12/99 at 15:30 Justin Cormack wrote:
>
> >
> >Well I am inclined to report this as a bug with major security
> implications.
> >
> >As far as I can see it is only acceptable to be asked for a root password
> >if you have explicitly requested root access (eg su or login). Adding a
> >graphical way of requesting root access (eg a program called [gxk]root say
> >that simply produced a menu of programs that would then be run as root)
> >could be acceptable, but producing unrequested root password requests
> >is not acceptable, indeed is a major security problem.
> >
> >Justin
>
> Maybe I am missing something....
>
> Any OS can have things that are meant to be run as an eqv to root, but will
> prompt for passwd if the requestors level is not high enough....
>
> a bug maybe.........but a security problem, how so ?
The dialogues concerned often are not related to anything the user's done
recently; I've seen several appear when I login.
The dialogues concerned do not identify the program that has requested the
info (though I'm not use that it would be better if it did....).
This program behaviour can accustom users who know the root password to
enter it whenever some program asks for it.
I could write a gnome program (say, an email client of which I make
extravagant claims) and make it available at ftp://www2.ami.com.au/pub/gnom
e/mail/johnsmailclient-1.0,i386.rpm and doubtless people reading about it
would run it.
When run, it could (perhaps) install something in gnome's startup folder
for the user; that something could be a program that requests root's
password and them mails if off to [EMAIL PROTECTED] having done that,
it could deinstall itself and in its place install a biff-type program or
some such, It would take some time, I imagine, for anyone to discover that
johnsmailclient contained added function to that which I claimed (which
might all be present and working).
If the user denies knowledge of the password, it would shrug its
electronic shoulders and hide itself as above.
--
Cheers
John Summerfield
http://os2.ami.com.au/os2/ for OS/2 support.
Configuration, networking, combined IBM ftpsites index.
--
To unsubscribe:
mail -s unsubscribe [EMAIL PROTECTED] < /dev/null
