On Sun, Feb 17, 2008 at 10:24:13AM +0530, Raj Kiran Grandhi wrote:
> Douglas A. Tutty wrote:
> >On Sat, Feb 16, 2008 at 09:38:03PM -0500, Frank McCormick wrote:
> >>On Sat, 16 Feb 2008 20:54:33 -0500
> >>"Douglas A. Tutty" <[EMAIL PROTECTED]> wrote:
> >>>On Sat, Feb 16, 2008 at 08:15:07PM -0500, Frank McCormick wrote:
> >>>>On Sat, 16 Feb 2008 17:32:56 -0600
> >>>>"Russell L. Harris" <[EMAIL PROTECTED]> wrote:
> >>>>>* Frank McCormick <[EMAIL PROTECTED]> [080216 17:21]:
> >If gtk apps are able to do things as root if you type in the old root
> >password but non-gtk apps will not work with the old root passwd but
> >will with the new root passwd, and if you can su (not sudo) to root
> >using the new root password but not the old root password, then gtk has
> >been storing the root password in some form. I call that a breach plain
> >and simple. It may be a design flaw that needs to be tracked down or it
> >could be that your particular box has been compromised. Either way, I
> >would call the box compromised.
>
> I wonder if gtk is indeed able to gain root privilege. For that to
> happen I thing all the following should be met (please correct me if I
> am wrong):
>
> 1. gnome/gtk is running as root (I do not think that is the case)
or there's a bug allowing privledge escalation.
> 2. gnome/gtk caches the password first time the user provides it,
> probably after comparing the hash with /etc/shadow.
Now you have a user-level program with the root password stored
who-knows-where. Not good.
> 3. Everytime something needs to be done as root, the user is prompted
> for a password and the supplied password is compared to the cached one
> before granting root privilege.
It should be using pam or su or sudo; established mechanisms.
>
> I don't think something like this has been going on.
>
> Unless gnome/gtk is running as root and does the job of hashing the
> password provided and comparing it with /etc/shadow, how can it *gain*
> root privilege once the password is changed? By supplying the old
> password, gnome/gtk may think the user has the required rights, but
> unless the underlying authentication mechanism (pam?) also does this
> sort of caching, the authentication should fail.
>
And from the descriptions, it hasn't been failing. That's my concern.
Type in the old root password and do something that only root should be
able to do.
> >
> >I would find a temporary test box (any old box will do). Install a gtk
> >system and test this out. Use a gtk app that asks for the root
> >password, then change the root passwd with passwd (and not a gtk app)
> >and then see what the gtk app will accept. If it will only accept the
> >old passwd then its a GTK design flaw. If it will only accept the new
> >root passwd then your box has been compromised.
>
> Just did that. I ran gdmsetup from the "System" menu on the gnome-panel.
> Provided root password and asked it to "Save it for this session".
> Closed gdmsetup and launched it again. No password asked.
> Closed gdmsetup, changed root password from a terminal and relaunched
> the gdmsetup. No prompt for password, but got an error saying that the
> wrong password has been supplied.
>
This is as it should be.
If this is not how it is happening on the subject box, then consider the
box compromised.
Doug.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
