[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Possible security issue with --description
From: |
mihai z |
Subject: |
Possible security issue with --description |
Date: |
Thu, 21 Feb 2008 10:21:10 -0800 (PST) |
The --description option allows you to show a random string instead of the command you are executing. This could facilitate an elevation of privilege for an application that has normal user rights. It can do this by modifying menu entries that use gksu to launch applications with administrative rights. When prompted with the gksu dialog you will see only the provided description, not the command you are running.
Example:
In Ubuntu 7.10 I am able to modify the menu entry for Synaptic Package Manager with normal user rights from
gksu /usr/sbin/synaptic
to something like
gksu --description synaptic /home/user/.sinaptic
, where the .sinaptic script runs some "evil code" and starts the real synaptic.
I propose to show the command gksu is running even if you have a description. Of course, the complete solution probably should include having those menu entries read-only for a normal user, but that is probably a gnome
issue.
, Mihai Varzaru
Never miss a thing. Make Yahoo your homepage.
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Possible security issue with --description,
mihai z <=