Re: Security hole in LXDE?
- Date: Mon, 27 Feb 2017 11:06:58 +0000
- From: Joe <joe@xxxxxxxxxxxxxx>
- Subject: Re: Security hole in LXDE?
On Mon, 27 Feb 2017 10:19:47 +0100
Hans <hans.ullrich@xxxxxxx> wrote:
> Hi folks,
> on my system /debian-amd64/testing) I can start Synaptic as a normal
> user, just by using the user password. In KDE this is not possible,
> there I need the root password.
> I do not have sudo in use.
> As I do not know, if this is a problem on my system (I have no second
> one to confirm this)., maybe please someone else could check this.
> If I am correct, this is a security hole. If I am wrong, I have to
> recheck my system.
Check how synaptic is being started by the menu entry. Typically,
synaptic will be started by /usr/bin/synaptic-pkexec, which uses
policykit to authorise an effective su for a normal user. The executable
synaptic is in /usr/sbin, so will probably not work from a menu.
I've changed the launcher to gksudo synaptic, which gives me explicit
fine control with sudoers.
I suspect what you're seeing is as intended.