[Bug 1219337] Re: Users can change the clock without authenticating, allowing them to locally exploit sudo.
** Package changed: gnome-control-center (Ubuntu) = policykit-desktop- privileges (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1219337 Title: Users can change the clock without authenticating, allowing them to locally exploit sudo. To manage notifications about this bug go to: https://bugs.launchpad.net/cinnamon-desktop/+bug/1219337/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1219337] Re: Users can change the clock without authenticating, allowing them to locally exploit sudo.
One more thing I noticed while checking what's going on with sudo. To my understanding newer versions of sudo treat the epoch as a special case and ignore it as an invalid date. So why does Ubuntu's /etc/init.d/sudo set sudoers timestamps to 19850101 during the boot? Shouldn't they be set to epoch to invalidate them? -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1219337 Title: Users can change the clock without authenticating, allowing them to locally exploit sudo. To manage notifications about this bug go to: https://bugs.launchpad.net/cinnamon-desktop/+bug/1219337/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1219337] Re: Users can change the clock without authenticating, allowing them to locally exploit sudo.
@Eero: yes, I noticed that while investigating last night also. I'll file a bug, and a bug with Debian. ** Also affects: sudo (Ubuntu) Importance: Undecided Status: New ** Changed in: sudo (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1219337 Title: Users can change the clock without authenticating, allowing them to locally exploit sudo. To manage notifications about this bug go to: https://bugs.launchpad.net/cinnamon-desktop/+bug/1219337/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1219337] Re: Users can change the clock without authenticating, allowing them to locally exploit sudo.
@Eero: I've filed bug 1223297 in Ubuntu, 722335 in debian. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1219337 Title: Users can change the clock without authenticating, allowing them to locally exploit sudo. To manage notifications about this bug go to: https://bugs.launchpad.net/cinnamon-desktop/+bug/1219337/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1219337] Re: Users can change the clock without authenticating, allowing them to locally exploit sudo.
I still get the feeling that you don't see the seriousness of this bug. Any drive-by browser-exploit can now escalate to root privileges because of this. Most Ubuntu users are running it with their admin account (that has sudo privileges). Running the wrong script or visiting the wrong website will be enough. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1219337 Title: Users can change the clock without authenticating, allowing them to locally exploit sudo. To manage notifications about this bug go to: https://bugs.launchpad.net/cinnamon-desktop/+bug/1219337/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1219337] Re: Users can change the clock without authenticating, allowing them to locally exploit sudo.
To clarify: an exploit could run code in a terminal, get the TTY of that terminal and search auth.log for that TTY to change the time, right? -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1219337 Title: Users can change the clock without authenticating, allowing them to locally exploit sudo. To manage notifications about this bug go to: https://bugs.launchpad.net/cinnamon-desktop/+bug/1219337/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1219337] Re: Users can change the clock without authenticating, allowing them to locally exploit sudo.
It's a bit more complicated than that, but not much: Sudo stores the SID in the authentication file. However, setsid is installed by default, so you can just launch processes with new SIDs until you get a match. You can either run setsid and sudo a bunch and hope that you match up, or you can look up the SID (also found in auth.log) and match that without running sudo. It's not trivial, but it's certainly doable. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1219337 Title: Users can change the clock without authenticating, allowing them to locally exploit sudo. To manage notifications about this bug go to: https://bugs.launchpad.net/cinnamon-desktop/+bug/1219337/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1219337] Re: Users can change the clock without authenticating, allowing them to locally exploit sudo.
Perhaps we could also investigate a way for gnome-control-center's timedated to invalidate sudo authentication files when the system date is changed. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1219337 Title: Users can change the clock without authenticating, allowing them to locally exploit sudo. To manage notifications about this bug go to: https://bugs.launchpad.net/cinnamon-desktop/+bug/1219337/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
Re: [Bug 1219337] Re: Users can change the clock without authenticating, allowing them to locally exploit sudo.
On 13-09-04 10:19 AM, Mark Smith wrote: This allows administrative users travelling with laptops to change the timezone without getting an authentication prompt. Why is saving the traveling admin from typing their password a couple of times a day worth compromising security for everyone else? No, seriously. Why? It only compromises security for people who use sudo on their workstation, and don't add the -k flag to the command line when they do. I suspect there are more users who travel with their laptops than there are people who use sudo on them. Your attack vector assumes that an administrative user is going to leave an open session unattended. Yes, my assumption is that users will forget to lock their machines, because it happens all the time. This is especially true if it's a personal machine, and they are the ONLY user. If you can't rely on admins to properly lock their session, you can't rely on them to not leave a console open with sudo rights either. At some point a minimum is required. Locking their console, or using sudo with -k is the minimum. If that is the case, there are a whole slew of attacks that are possible, and don't require changing the date. For example, creating scripts in ~/bin that are higher in the path then system binaries. Even if that number is high, that's no excuse. Is your stance really Well, they could compromise security 100 ways, so what's one more? Plus, how many of those attacks require 0 external resources, and creating 0 additional files on the system, and would leave little trace beyond a hiccup in the time/date? I'm saying preventing the admin user from modifying the system clock is security theatre if the system is configured to use ntp, or doesn't prevent access to changing the clock in the system firmware. Even if the admin user needs a password to change the clock, anyone can step up to the workstation and plug in a network cable to a fake ntp server. If you want to be able to trust the system time, you need to harden a lot more than simply requiring a password prompt. Since your local security policy is different than what is shipped in a general purpose operating system... Wanting a slightly more secure system is more of an edge case than changing the time zone repeatedly? REALLY? Does Windows 8 count as general purpose to you? It requires escalation to change the date and time. Maybe their escalation system isn't very good, but it's still better than blithely letting admins change the system time without so much as a prompt. Also, their security system doesn't rely on file timestamps, so it's less likely to grant someone root access. There's a fine balance between security and usability, and not everyone is comfortable with the same level of security. As I've mentioned before, it is trivial to modify the defaults to achieve the level of security that is appropriate for your environment. 1- Requiring your administrative users to lock their workstation when they are left unattended. People make mistakes. Are you telling me you've NEVER forgotten to lock your workstation? You've NEVER seen another admin forget to lock theirs? Yes, this happens, and is quite unfortunate. What I'm saying is being able to change the system clock is only one of a whole series of possible attacks if the session is left unattended. 2- Requiring your administrative users to use sudo -k to forcibly invalidate cached credentials. That only works on a per pty/tty basis on ubuntu. It only invalidates one of the sessions, and it invalidates it by changing the timestamp to a date to Dec. 31, 1969 or Jan. 1, 1970. You could try sudo -K, which deletes the file, but again only on a per pty/tty basis. Sudo considers cached credential files with epoch timestamps to be invalid, even if you do set the clock to epoch. (Unless you're vulnerable to CVE-2013-1775). Adding -k to your sudo commands will prevent caching. 3- Removing the policykit-desktop-privileges package, or overriding the policy with a local one. Oh good, more administrative work, all to save typing a password! Pity about all the users who don't know what policykit-desktop-privileges is or does though... 4- Disabling ntp, or setting up ntp authentication. Disabling ntp wouldn't help, since the whole point is that the user can change the time to anything manually anyhow. Disabling ntp is a required part of the process if you don't want an attacker to be able to alter the system clock. 5- Setting a firmware password on local machines. This doesn't help if they walked away and forgot to lock their machines. Again, it is a required part of the process if you don't want an attacker to simply reboot and change the clock in the firmware. I especially love how #2 requires the user to remember to execute a command before they close their terminal, and adds an extra 7 keystrokes PER TTY/PTY. All this to save a
[Bug 1219337] Re: Users can change the clock without authenticating, allowing them to locally exploit sudo.
** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2013-1775 -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1219337 Title: Users can change the clock without authenticating, allowing them to locally exploit sudo. To manage notifications about this bug go to: https://bugs.launchpad.net/cinnamon-desktop/+bug/1219337/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1219337] Re: Users can change the clock without authenticating, allowing them to locally exploit sudo.
** CVE removed: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2013-1775 -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1219337 Title: Users can change the clock without authenticating, allowing them to locally exploit sudo. To manage notifications about this bug go to: https://bugs.launchpad.net/cinnamon-desktop/+bug/1219337/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1219337] Re: Users can change the clock without authenticating, allowing them to locally exploit sudo.
There's a fine balance between security and usability, and not everyone is comfortable with the same level of security. As I've mentioned before, it is trivial to modify the defaults to achieve the level of security that is appropriate for your environment. If that's the case, why are you defaulting to a level that Debian, Fedora, Mint, and Windows all feel is too lax? Why not let the very few users who need this, change it to be less secure? Based on my discussions, it seems that this is actually a *sudo* bug, since it uses the non-monotonic clock, rather than using other system features. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1219337 Title: Users can change the clock without authenticating, allowing them to locally exploit sudo. To manage notifications about this bug go to: https://bugs.launchpad.net/cinnamon-desktop/+bug/1219337/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1219337] Re: Users can change the clock without authenticating, allowing them to locally exploit sudo.
If that's the case, why are you defaulting to a level that Debian, Fedora, Mint, and Windows all feel is too lax? Why not let the very few users who need this, change it to be less secure? Because those desktop environments don't provide automatic geoip-based timezone updating. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1219337 Title: Users can change the clock without authenticating, allowing them to locally exploit sudo. To manage notifications about this bug go to: https://bugs.launchpad.net/cinnamon-desktop/+bug/1219337/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1219337] Re: Users can change the clock without authenticating, allowing them to locally exploit sudo.
Looks like upstream GNOME is now also allowing this too, so presumably the other distros will have a similar policy: https://git.gnome.org/browse/gnome-control-center/commit/panels/common /gnome-control-center.rules?id=88eeb8cb2d28d75610b1fa39839e69388ceb4eca https://bugzilla.gnome.org/show_bug.cgi?id=646185 ** Bug watch added: GNOME Bug Tracker #646185 https://bugzilla.gnome.org/show_bug.cgi?id=646185 -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1219337 Title: Users can change the clock without authenticating, allowing them to locally exploit sudo. To manage notifications about this bug go to: https://bugs.launchpad.net/cinnamon-desktop/+bug/1219337/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1219337] Re: Users can change the clock without authenticating, allowing them to locally exploit sudo.
** Also affects: sudo Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1219337 Title: Users can change the clock without authenticating, allowing them to locally exploit sudo. To manage notifications about this bug go to: https://bugs.launchpad.net/cinnamon-desktop/+bug/1219337/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1219337] Re: Users can change the clock without authenticating, allowing them to locally exploit sudo.
** Bug watch added: Sudo Bugzilla #616 http://www.sudo.ws/bugs/show_bug.cgi?id=616 ** Changed in: sudo Importance: Undecided = Unknown ** Changed in: sudo Status: New = Unknown ** Changed in: sudo Remote watch: None = Sudo Bugzilla #616 -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1219337 Title: Users can change the clock without authenticating, allowing them to locally exploit sudo. To manage notifications about this bug go to: https://bugs.launchpad.net/cinnamon-desktop/+bug/1219337/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1219337] Re: Users can change the clock without authenticating, allowing them to locally exploit sudo.
GNOME 3.10 will indeed allow local admins (not standard users) to change time settings without typing a password. It also introduces automatic geolocation-based timezone updating. :) -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1219337 Title: Users can change the clock without authenticating, allowing them to locally exploit sudo. To manage notifications about this bug go to: https://bugs.launchpad.net/cinnamon-desktop/+bug/1219337/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1219337] Re: Users can change the clock without authenticating, allowing them to locally exploit sudo.
Michael: But again, this totally ignores the question: Why on earth do we need that? How many times per day are you changing your clock that this is necessary?! -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1219337 Title: Users can change the clock without authenticating, allowing them to locally exploit sudo. To manage notifications about this bug go to: https://bugs.launchpad.net/cinnamon-desktop/+bug/1219337/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1219337] Re: Users can change the clock without authenticating, allowing them to locally exploit sudo.
Todd C Miller is working on it from the sudo side upstream, potentially using CLOCK_MONOTONIC. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1219337 Title: Users can change the clock without authenticating, allowing them to locally exploit sudo. To manage notifications about this bug go to: https://bugs.launchpad.net/cinnamon-desktop/+bug/1219337/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1219337] Re: Users can change the clock without authenticating, allowing them to locally exploit sudo.
oh, that would be great! -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1219337 Title: Users can change the clock without authenticating, allowing them to locally exploit sudo. To manage notifications about this bug go to: https://bugs.launchpad.net/cinnamon-desktop/+bug/1219337/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1219337] Re: Users can change the clock without authenticating, allowing them to locally exploit sudo.
A somewhat sensible workaround I can find at the moment is to force re- authentication every time you type sudo. The way to do this is by adding: Defaults timestamp_timeout=0 to the Defaults section of your /etc/sudoers This will work on Ubuntu, OS X, and other variants. Details can be found in http://www.sudo.ws/sudoers.man.html We really shouldn't be trusting the clock to being with. The fact that Ubuntu developers have seen fit to add convenience features to bypass security rather proves the point. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1219337 Title: Users can change the clock without authenticating, allowing them to locally exploit sudo. To manage notifications about this bug go to: https://bugs.launchpad.net/cinnamon-desktop/+bug/1219337/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1219337] Re: Users can change the clock without authenticating, allowing them to locally exploit sudo.
Only administrators can change the local time without authenticating. Regular non-administrative users cannot. This allows administrative users travelling with laptops to change the timezone without getting an authentication prompt. Your attack vector assumes that an administrative user is going to leave an open session unattended. If that is the case, there are a whole slew of attacks that are possible, and don't require changing the date. For example, creating scripts in ~/bin that are higher in the path then system binaries. If you have administrative users that are leaving session unlocked, you have a more serious security issue than being able to change the time. Since your local security policy is different than what is shipped in a general purpose operating system, I suggest: 1- Requiring your administrative users to lock their workstation when they are left unattended. 2- Requiring your administrative users to use sudo -k to forcibly invalidate cached credentials. 3- Removing the policykit-desktop-privileges package, or overriding the policy with a local one. 4- Disabling ntp, or setting up ntp authentication. 5- Setting a firmware password on local machines. ** Changed in: gnome-control-center (Ubuntu) Status: New = Opinion -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1219337 Title: Users can change the clock without authenticating, allowing them to locally exploit sudo. To manage notifications about this bug go to: https://bugs.launchpad.net/cinnamon-desktop/+bug/1219337/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1219337] Re: Users can change the clock without authenticating, allowing them to locally exploit sudo.
This allows administrative users travelling with laptops to change the timezone without getting an authentication prompt. Why is saving the traveling admin from typing their password a couple of times a day worth compromising security for everyone else? No, seriously. Why? Your attack vector assumes that an administrative user is going to leave an open session unattended. Yes, my assumption is that users will forget to lock their machines, because it happens all the time. This is especially true if it's a personal machine, and they are the ONLY user. If that is the case, there are a whole slew of attacks that are possible, and don't require changing the date. For example, creating scripts in ~/bin that are higher in the path then system binaries. Even if that number is high, that's no excuse. Is your stance really Well, they could compromise security 100 ways, so what's one more? Plus, how many of those attacks require 0 external resources, and creating 0 additional files on the system, and would leave little trace beyond a hiccup in the time/date? Since your local security policy is different than what is shipped in a general purpose operating system... Wanting a slightly more secure system is more of an edge case than changing the time zone repeatedly? REALLY? Does Windows 8 count as general purpose to you? It requires escalation to change the date and time. Maybe their escalation system isn't very good, but it's still better than blithely letting admins change the system time without so much as a prompt. Also, their security system doesn't rely on file timestamps, so it's less likely to grant someone root access. 1- Requiring your administrative users to lock their workstation when they are left unattended. People make mistakes. Are you telling me you've NEVER forgotten to lock your workstation? You've NEVER seen another admin forget to lock theirs? 2- Requiring your administrative users to use sudo -k to forcibly invalidate cached credentials. That only works on a per pty/tty basis on ubuntu. It only invalidates one of the sessions, and it invalidates it by changing the timestamp to a date to Dec. 31, 1969 or Jan. 1, 1970. You could try sudo -K, which deletes the file, but again only on a per pty/tty basis. 3- Removing the policykit-desktop-privileges package, or overriding the policy with a local one. Oh good, more administrative work, all to save typing a password! Pity about all the users who don't know what policykit-desktop-privileges is or does though... 4- Disabling ntp, or setting up ntp authentication. Disabling ntp wouldn't help, since the whole point is that the user can change the time to anything manually anyhow. 5- Setting a firmware password on local machines. This doesn't help if they walked away and forgot to lock their machines. I especially love how #2 requires the user to remember to execute a command before they close their terminal, and adds an extra 7 keystrokes PER TTY/PTY. All this to save a hypothetical traveling admin from having to type his password once when he moves to a different timezone. If they want to save themselves a few keystrokes to change the timezone, let /them/ change policy kit. Don't stick every unsuspecting user with a security hole. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1219337 Title: Users can change the clock without authenticating, allowing them to locally exploit sudo. To manage notifications about this bug go to: https://bugs.launchpad.net/cinnamon-desktop/+bug/1219337/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1219337] Re: Users can change the clock without authenticating, allowing them to locally exploit sudo.
This is by design. The policykit-desktop-privileges package contains a policykit file that allows administrative users to do so: from /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla: [Setting the clock] Identity=unix-group:admin;unix-group:sudo Action=org.gnome.clockapplet.mechanism.*;org.gnome.controlcenter.datetime.config ure;org.kde.kcontrol.kcmclock.save ResultActive=yes ** Information type changed from Private Security to Public ** Changed in: unity Status: New = Invalid ** Changed in: gnome-control-center (Ubuntu) Status: New = Invalid -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1219337 Title: Users can change the clock without authenticating, allowing them to locally exploit sudo. To manage notifications about this bug go to: https://bugs.launchpad.net/cinnamon-desktop/+bug/1219337/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1219337] Re: Users can change the clock without authenticating, allowing them to locally exploit sudo.
This is by DESIGN? Your design is that any user can change the time, and therefore bypass the security of sudo? What's the justification for not having the user enter a password to change the time? Convenience? Marc, with all due respect, did you even read the bug? If you disable the sudo password for your account, you will seriously compromise the security of your computer. Anyone sitting at your unattended, logged in account will have complete Root access, and remote exploits become much easier for malicious crackers. This policy kit change adds a single condition: That the user has used sudo to escalate at some point, and it creates /exactly/ the same conditions. I'm going to re-open this just to be sure. It seems incredible that Ubuntu would intentionally let people bypass security like that. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1219337 Title: Users can change the clock without authenticating, allowing them to locally exploit sudo. To manage notifications about this bug go to: https://bugs.launchpad.net/cinnamon-desktop/+bug/1219337/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1219337] Re: Users can change the clock without authenticating, allowing them to locally exploit sudo.
Are you really sure users are supposed to be able to bypass sudo like that? ** Changed in: gnome-control-center (Ubuntu) Status: Invalid = New -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1219337 Title: Users can change the clock without authenticating, allowing them to locally exploit sudo. To manage notifications about this bug go to: https://bugs.launchpad.net/cinnamon-desktop/+bug/1219337/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1219337] Re: Users can change the clock without authenticating, allowing them to locally exploit sudo.
As a person working in a secure facility with quite a few machines running Ubuntu, this is a major security issue. This is a flaw that allows root access without a password. The fact that this issue is being brushed off is angering, but even worse is that it's been made public. I shouldn't even be able to know about an issue like this until it has been fixed already. This issue needs to be taken seriously, and fixed, as soon as possible. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1219337 Title: Users can change the clock without authenticating, allowing them to locally exploit sudo. To manage notifications about this bug go to: https://bugs.launchpad.net/cinnamon-desktop/+bug/1219337/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1219337] Re: Users can change the clock without authenticating, allowing them to locally exploit sudo.
** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1219337 Title: Users can change the clock without authenticating, allowing them to locally exploit sudo. To manage notifications about this bug go to: https://bugs.launchpad.net/cinnamon-desktop/+bug/1219337/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs