*** This bug is a security vulnerability *** Private security bug reported:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This bug makes it impossible to create a locked down system. It affects a support customer (school roll-out scenario) and has a high impact profile. Summary: An administrator removes menu items from the Menu Bar with gmenu-simple-editor (right-click Applications > 'Edit Menus'). He/she then removes command line access and Panel modification: gconftool-2 \ --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool --set /desktop/gnome/lockdown/disable_command_line true gconftool-2 \ --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool --set /apps/panel/global/locked_down true This bug allows a user to circumvent all that by simply adding applications back into the menus because gmenu-simple-editor is not affected by the gconf /apps/panel/global/locked_down key as it should be. This bug has been reproduced on Jaunty. A public bug exists but it has been forgotten (c. 2005): https://bugs.launchpad.net/gnome-panel/+bug/4712 The listed workaround of changing filesystem permissions for every user on the system is not acceptable: $ sudo chown -R root:root ~/.config/menus QA Team response deadline: June 11, 15:15 UTC REF:50020000005u5kP affects ubuntu/gnome-panel security yes private yes subscribe canonical-support subscribe canonical-qa - -- Peter Matulis Support Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkovzXsACgkQkfj47zT3QOi0/wCg1f5wmKfbBSYFVWFZ80VQv5Ex z9AAoNtF3qED2tearc86a8lwmGgakX1W =5Z+w -----END PGP SIGNATURE----- ** Affects: gnome-panel (Ubuntu) Importance: Undecided Status: New -- P3: Locked GNOME Panel does not affect gmenu-simple-editor https://bugs.launchpad.net/bugs/385596 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs