Web lists-archives.com

Re: Security hole in LXDE?




On Mon, 27 Feb 2017 10:19:47 +0100
Hans <hans.ullrich@xxxxxxx> wrote:

> Hi folks,
> 
> on my system /debian-amd64/testing) I can start Synaptic as a normal
> user, just by using the user password. In KDE this is not possible,
> there I need the root password.
> 
> I do not have sudo in use.
> 
> As I do not know, if this is a problem on my system (I have no second
> one to confirm this)., maybe please someone else could check this.
> 
> If I am correct, this is a security hole. If I am wrong, I have to
> recheck my system.
> 
>

Check how synaptic is being started by the menu entry. Typically,
synaptic will be started by /usr/bin/synaptic-pkexec, which uses
policykit to authorise an effective su for a normal user. The executable
synaptic is in /usr/sbin, so will probably not work from a menu.

I've changed the launcher to gksudo synaptic, which gives me explicit
fine control with sudoers.

I suspect what you're seeing is as intended.

-- 
Joe