*** This bug is a security vulnerability ***
You have been subscribed to a public security bug by Marc Deslauriers
(mdeslaur):
Regular desktop users are given sudo access if they know the
administrators (first user setup during install) password.
To recreate:
System installed first username: norman, password blahblah
Add new user sally as default desktop user. No admin/sudo privileges.
Logout as norman
Login as sally
Go to Administration->Users and Groups (or Login Screen)
sally is prompted for norman's password and if known is given access.
sally can then add/remove privileges on herself (and others).
Desired effect:
sally should be denied access as she has no admin/sudo privileges. Synaptics
gets this right by denying any password given by a non-sudoer/admin. Also,
revealing the username of a sudoer/admin could lead to sally guessing a
password if she knew norman well enough. In reality I would imaging the
password dialog shouldn't even be shown to such a user.
Found in Ubuntu 10.10 (and possibly earlier)
** Affects: ubuntu
Importance: Undecided
Status: New
** Tags: escalation privilege security
--
privilege escalation
https://bugs.edge.launchpad.net/bugs/681685
You received this bug notification because you are a member of Ubuntu Bugs,
which is a direct subscriber.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
