Bug#1011624: kdesu: kdesu fails to authenticate with sudo from testing/unstable
On Wed, Jun 01, 2022 at 12:35:01PM +0200, Aurélien COUDERC wrote: > Le 26/05/2022 à 16:09, Marc Haber a écrit : > > On Wed, May 25, 2022 at 01:58:58PM +0100, Rik Mills wrote: > > > The issue can be worked around by adding /etc/sudoers.d/kdesu with the > > > contents > > > > > > Defaults!/usr/lib/*/libexec/kf5/kdesu_stub !use_pty > > > > kdesu is cordially invited to ship that file in the package, fixing the > > issue for everybody. Please add a comment with the reference to this bug > > report and remove the file once kdesu was fixed upstream. > > kdesu is now cordially shipping the file in the package. :-) ;-) > Would you mind to comment why this is OK from a security perspective ? There is a discussion in the KDE bug ticket that seems to make sense to me. kdesu is exploiting a vulnerability in sudo that we fixed by forcing the pty. If we don't want to lose kdesu's functionality, we need either fixing kdesu so that is uses "legal" methods to use sudo, or we need to re-open the vulnerability to allow unmodified kdesu to work. This is kdesu's vulnerability now ;-) I would love to see kdesu fixed in some future, so that the "insecure" sudo rule can be removed. It would be an idea to ship the file with the rule commented out by default so that every local admin can cause their own vulnerability, but that'd probable cause a new avalanche of "kdesu broken" bug reports. > I’m no security expert at all but if I read the CVE description correctly, > the issue is with the su'ed command being able to escape the su user > session. > Is it OK in this case because kdesu is used to gain root from non-root and > so escaping the su session only gives you back the original non-root user > rights ? I hope that other people can comment on that, I would need to ponder about that for some time. Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
Bug#1011624: kdesu: kdesu fails to authenticate with sudo from testing/unstable
Dear Marc, Le 26/05/2022 à 16:09, Marc Haber a écrit : On Wed, May 25, 2022 at 01:58:58PM +0100, Rik Mills wrote: The issue can be worked around by adding /etc/sudoers.d/kdesu with the contents Defaults!/usr/lib/*/libexec/kf5/kdesu_stub !use_pty kdesu is cordially invited to ship that file in the package, fixing the issue for everybody. Please add a comment with the reference to this bug report and remove the file once kdesu was fixed upstream. kdesu is now cordially shipping the file in the package. :-) Would you mind to comment why this is OK from a security perspective ? I’m no security expert at all but if I read the CVE description correctly, the issue is with the su'ed command being able to escape the su user session. Is it OK in this case because kdesu is used to gain root from non-root and so escaping the su session only gives you back the original non-root user rights ? Thanks, -- Aurélien
Bug#1011624: kdesu: kdesu fails to authenticate with sudo from testing/unstable
On Wed, May 25, 2022 at 01:58:58PM +0100, Rik Mills wrote: > The issue can be worked around by adding /etc/sudoers.d/kdesu with the > contents > > Defaults!/usr/lib/*/libexec/kf5/kdesu_stub !use_pty kdesu is cordially invited to ship that file in the package, fixing the issue for everybody. Please add a comment with the reference to this bug report and remove the file once kdesu was fixed upstream. Greetings Marc
Bug#1011624: kdesu: kdesu fails to authenticate with sudo from testing/unstable
Package: kdesu Version: 5.93.0-1 Severity: serious kdesu fails to authenticate with sudo from testing/unstable. Examples: launching ksystemlog from the main menu, or trying to run krusader root mode option via its 'Tools > Start Krusader Root Mode' menu entry. Assuming that the current user is a member of the sudo group. On entering the correct password authentication is refused, stating that possibly an incorrect password has been entered. It appears that kdesu fails to cope with the sudo config CVE fix in this commit: https://salsa.debian.org/sudo-team/sudo/-/commit/59db341d46aa4c26b54c1270e69f2562e7f3d751 KDE bug: https://bugs.kde.org/show_bug.cgi?id=452532 The issue can be worked around by adding /etc/sudoers.d/kdesu with the contents Defaults!/usr/lib/*/libexec/kf5/kdesu_stub !use_pty