Wow, I can't believe this obvious (and surely easy to fix!) bug is still
not fixed! After having skimmed the libgksu code though, I'm not
surprised -- it does call-outs to the shell all over the place.
Obviously a very bad idea:
tmp = g_strdup_printf ("%s list %s | "
"head -1 | awk '{ print $3 }'",
xauth_bin,
display);
if ((xauth_output = popen (tmp, "r")) == NULL)
--------
cmd[i] = g_strdup ("/bin/su"); i++;
if (context->login_shell)
{
cmd[i] = g_strdup ("-"); i++;
}
cmd[i] = g_strdup (context->user); i++;
if (context->keep_env)
{
cmd[i] = g_strdup ("-p"); i++;
}
cmd[i] = g_strdup ("-c"); i++;
/* needs to get X authorization prior to running the program */
cmd[i] = g_strdup_printf ("%s \"%s\"", auxcommand,
context->command); i++;
cmd[i] = NULL;
/* executes the command */
if (execv (cmd[0], cmd) == -1)
{
fprintf (stderr,
"Unable to run /bin/su: %s",
strerror(errno));
}
-----------
Such a terrible practice. When is someone going to write "exec()
considered harmful"?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/298217
Title:
no second attempt and no feedback when wrong password entered
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libgksu/+bug/298217/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
