Package: sugar Version: 0.79.4-2 Severity: normal I decided to toy around with Sugar a bit to see what it's all about, and apt-get installed sugar. When clicking on "shutdown" in the context menu, I was surprised to see that my computer actually shut down, despite /usr/bin/sugar* not carrying any s(u|g)id bit. Given that /sbin/halt refuses to be run by an ordinary user, where does Sugar get the privileges from? In any case, it shouldn't have that privilege since malicious softare could exploit it to power down the computer. Security policies shouldn't appear as inconsistent as they do in this case.
-- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.24-1-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages sugar depends on: ii dbus-x11 1.1.1-3 simple interprocess messaging syst ii librsvg2-common 2.18.2-1 SAX-based renderer library for SVG ii matchbox-window-manager 1.2-1 window manager for resource-limite ii python 2.5.2-1 An interactive high-level object-o ii python-cairo 1.4.0-2+b1 Python bindings for the Cairo vect ii python-central 0.6.6 register and build utility for Pyt ii python-dbus 0.82.3-1 simple interprocess messaging syst ii python-gnome2-desktop 2.20.0-1 Python bindings for the GNOME desk ii python-gobject 2.14.0-2 Python bindings for the GObject li ii python-gst0.10 0.10.11-1 generic media-playing framework (P ii python-gtk2 2.12.0-1 Python bindings for the GTK+ widge ii python-hippocanvas 0.2.23-4.1 Python bindings to hippo-canvas ii python-numpy 1:1.0.4-8 Numerical Python adds a fast array ii python-simplejson 1.9.1-1 Simple, fast, extensible JSON enco ii python-sugar 0.79.1-1 Sugar graphical shell - core funct ii python-sugar-toolkit 0.79.6-2 Sugar graphical shell - core widge ii python-telepathy 0.15.0-1 python language bindings for telep ii telepathy-gabble 0.7.5-2 Jabber/XMPP connection manager ii telepathy-salut 0.3.1-1 Link-local XMPP connection manager ii telepathy-stream-engine 0.5.2-1 stream handler for the Telepathy f Versions of packages sugar recommends: ii gstreamer0.10-plug 0.10.8-2 GStreamer plugins from the "good" ii net-tools 1.60-17.2 The NET-3 networking toolkit ii network-manager 0.6.5-3 network management framework daemo ii sugar-artwork 0.79.2-2 Sugar graphical shell - artwork ii x11-xserver-utils 7.3+1 X server utilities ii xbase-clients 1:7.3+3 miscellaneous X clients - metapack ii xserver-xephyr 2:1.4.1~git20080131-3 nested X server -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
