Hi,
I thought what the heck, lets update the pre-compiled Qt components on my computer. Apart from making me jump through the Qt Account hoop, I'm not sure whether this is deliberate (nefariously or incompetently) or just broken (please tell me it is a simple bug!): OS: Linux, Debian (testing), amd64 Installation-Directory of Qt: $HOME/Qt of the user running MaintenanceTool MaintenanceTool version: 3.2.2-0-202003121118 When I call MaintenanceTool to install another version of Qt it wants to sudo into root when it starts to download Qt components. It still asks for the sudo password if I quit while selecting components! Worse, if I normally have sudo set to NOPASSWD then it does not even ask, it just switches! The temporary directory installerResources has access rights 0557. Other directories are group-writable. I view those as severe security issues: - the installer (actually no tool whatsoever) should switch to root unless absolutely necessary, to prevent escalation of other security issues - no interactive tool should switch to root without informing the user - the installer must not make any directories or files writable for anyone but the user running that tool - otherwise other users are able to attack by inserting malicious code I have the bad feeling that someone should perform a security audit on MaintenanceTool and installer framework. Konrad
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Development mailing list [email protected] https://lists.qt-project.org/listinfo/development
