Bug#454624: gksu doesn't ask for a password and runs apps as root

Nicolas e.conti at gmx.net
Thu Dec 6 17:42:04 UTC 2007 

Package: gksu
Version: 2.0.0-5
Severity: critical
Tags: security
Justification: root security hole

Hello,

Since today, when I run gksu as a "normal user" (not root), it doesn't ask for
the root password. An empty window opens. Nothing is written inside it, aside
"Do not show that message again" (I'm translating the message to English for
the bug report).

I launched gksu from a shell, still from a "normal user" account :
/usr/bin/gksu -u root /usr/sbin/synaptic

The empty window opens, and here's what is written in the console :
(gksu:6066): Gtk-WARNING **: Failed to set text from markup due to error
parsing markup: Error on line 1 char 35: Invalid UTF-8 encoded text - not valid
'<b><big>Permissions accord\xe9es sans demande de mot de passe</big></b>

Le programme \xab\xa0/usr/sbin/synaptic\xa0\xbb a \xe9t\xe9 lanc\xe9 avec les
privil\xe8ges de l'utilisateur root sans avoir eu \xe0 demander de mot de
passe, en raison de la configuration du m\xe9canisme d'authentification de
votre syst\xe8me.

Il est possible que vous soyez autoris\xe9 \xe0 lancer des programmes
sp\xe9cifiques en tant qu'utilisateur root sans avoir besoin de mot de passe,
ou que le mot de passe soit en cache.

Il ne s'agit pas d'un signalement de probl\xe8me\xa0; il s'agit juste d'un
avertissement pour \xeatre s\xfbr que vous en \xeates conscient.'

The strange \xyz chars are displayed in this bug report as they do appear in the console.

What surprised me is that even if gksu doesn't ask for the root password, I'm
actually able to use synaptic ! I mean not only browing the package, but
install them, remove them, and so on. So, synaptic is ran from the root account
!

So I did a test from a console :
$ whoami
normal_non_root_user
$ su
Mot de passe : 
# echo "test" > xyz_test_file.txt
# chmod 600 xyz_test_file.txt 
# ls -l xyz_test_file.txt 
-rw------- 1 root root 5 2007-12-06 18:39 xyz_test_file.txt
# exit
$ whoami
normal_non_root_user
$  /usr/bin/gksu -u root more xyz_test_file.txt 

(gksu:7336): Gtk-WARNING **: Failed to set text from markup due to error
parsing markup: Error on line 1 char 35: Invalid UTF-8 encoded text - not valid
'<b><big>Permissions accord\xe9es sans demande de mot de passe</big></b>

Le programme \xab\xa0more &apos;xyz_test_file.txt&apos;\xa0\xbb a \xe9t\xe9
lanc\xe9 avec les privil\xe8ges de l'utilisateur root sans avoir eu \xe0
demander de mot de passe, en raison de la configuration du m\xe9canisme
d'authentification de votre syst\xe8me.

Il est possible que vous soyez autoris\xe9 \xe0 lancer des programmes
sp\xe9cifiques en tant qu'utilisateur root sans avoir besoin de mot de passe,
ou que le mot de passe soit en cache.

Il ne s'agit pas d'un signalement de probl\xe8me\xa0; il s'agit juste d'un
avertissement pour \xeatre s\xfbr que vous en \xeates conscient.'
test

As you can see, the word "test" is displayed in the console at the end, while
xyz_test_file.txt perms are 600 and I'm logged as a normal user.

I think there's a major security issue here !!!

Nicolas,
Paris, France.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.23.9 (SMP w/2 CPU cores)
Locale: LANG=fr_FR, LC_CTYPE=fr_FR (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages gksu depends on:
ii  gnome-keyring               2.20.2-1     GNOME keyring services (daemon and
ii  libatk1.0-0                 1.20.0-1     The ATK accessibility toolkit
ii  libc6                       2.7-3        GNU C Library: Shared libraries
ii  libcairo2                   1.4.10-1.1   The Cairo 2D vector graphics libra
ii  libgconf2-4                 2.20.1-1     GNOME configuration database syste
ii  libgksu2-0                  2.0.5-1      library providing su and sudo func
ii  libglib2.0-0                2.14.4-2     The GLib library of C routines
ii  libgnome-keyring0           2.20.2-1     GNOME keyring services library
ii  libgtk2.0-0                 2.12.3-1     The GTK+ graphical user interface 
ii  liborbit2                   1:2.14.7-0.1 libraries for ORBit2 - a CORBA ORB
ii  libpango1.0-0               1.18.3-1     Layout and rendering of internatio
ii  libstartup-notification0    0.9-1        library for program launch feedbac
ii  sudo                        1.6.9p9-1    Provide limited super user privile

gksu recommends no packages.

-- no debconf information

More information about the pkg-gnome-maintainers mailing list