[Bug 35581] Re: dapper f5 live: administrator mode doesn't work in systemsettings
daniel.eckl at gmx.de
Sun Apr 23 08:51:32 UTC 2006
I too want to confirm, that this is a way to gain root privileges without entering a single correct password.
Reproduce: System Settings -> Network Settings -> Administrator Mode -> Enter anything as password -> accepted.
After that kdesu accepts anything as password so the user has full access to the system (just exec "kdesu konsole" for example).
This seems to be related to the sudo password caching function, because opening a konsole and typing "sudo -k" does stop kdesu accepting anything.
The problem is triggered by the System Settings program. When using the orginal kcontrol directly, then this privilege escalation does not work.
But if it can be triggered by a fault in a program running with user privileges, it can be triggered by any malicious program, too!
This is really a very critical security failure!
dapper f5 live: administrator mode doesn't work in systemsettings
More information about the kubuntu-bugs