Bug has been fixed and new version cheermeup-0.6-1 released.
The bug was fixed by grepping the "key=value" entries in the users' config files, that is, without executing or sourcing them. -- OLE WOLF[1] Rødhættevej 4 * 9400 Nørresundby Telefon: 9632-0108 * Mobil: 2467-5526 * Skype: ole.wolf * SIP: ole.w...@ekiga.net Quoting Ole Wolf <o...@naturloven.dk>:
Hi Philipp, Ouch, I should have throught of that possible exploit. I agree, it's not suitable for release as is; in fact, I'll remove the download from the homepage. What is "polygen"? Thanks, --Ole Quoting "Philipp A. Hartmann" <p...@sorgh.de>: > Hey,the cronjob script in the cheermeup package contains a serious privilege escalation bug by sourcing the "user configuration settings" as root user: # ... localconfig="$homedir/.config/cheermeup/config" if [ -f "$localconfig" ]; then . $localconfig else # ... A local user can therefore execute arbitrary commands as root by simply putting them to ~/.config/cheermeup/config and wait for the next run. The package should drop privileges way earlier, e.g. by using ConsoleKit to determine the currently open user sessions and running a separate script as the logged-in user(s) to create the cheers. Secondly, the cronjob sometimes writes stuff to stdout/err and may exit with a non-zero exit code, e.g. if no (GNOME/Unity) user is currently logged in, which leads to rather annoying mails to root. I really like the idea, but this package may need some work (beyond polygen support requested by Enrico) before being suitable for distribution. Greetings from Oldenburg, Philipp
Links: ------ [1] http://naturloven.dk
smime.p7s
Description: S/MIME Cryptographic Signature
