http://qa.mandrakesoft.com/show_bug.cgi?id=408
------- Additional Comments From [EMAIL PROTECTED] 2003-03-13 19:35 -------
Will,
This bug is _still_ there, even _after_ I applied the Mandrake 9.0 "update"
for this bug
from http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:031 .
"rpm -qa | grep usermode" shows:
usermode-consoleonly-1.55-8.1mdk
usermode-1.55-8.1mdk
Now, as a non-root user, I made a link in my home directory:
ln -s /usr/bin/consolehelper ./shutdown
Next, I ran "./shutdown now" and lo and behold, the whole system went into run-level 1
and
gave a root shell !! Obviously, no root passwoed was asked for.
Please fix this bug once and for all.
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
------- Reminder: -------
assigned_to: [EMAIL PROTECTED]
status: RESOLVED
creation_date:
description:
if you type
shutdown now
as user, your system switches to runlevel 1 and you get a root-shell without any
root-password query.
That's a major security problem which brings Mandrake Linux in security-state
compareable with windows. The Redhat Announcement from two years ago:
http://www.linuxsecurity.com/advisories/redhat_advisory-673.html
