Security issue with disks-admin
Matt Zimmerman
mdz at ubuntu.com
Thu Oct 6 16:09:01 CDT 2005
On Thu, Oct 06, 2005 at 09:58:13PM +0200, Dennis Kaarsemaker wrote:
> The issue has been raised before in bugzilla and on this list: One can
> launch nautilus/totem/gnome-cd from disks-admin. These programs will
> then run as root which is against the Ubuntu policy. Attached debdiff is
> a complete patch that uses "su -c $SUDO_USER" to launch the actual
> applications.
This isn't a security issue, only a safety issue, and a small one in my
opinion. The only risk is that the user makes destructive changes to the
filesystem, which they are normally protected from by lack of privilege.
I don't consider this a high priority for 5.10, but if we're going to
squeeze in a fix, it needs to be the simplest possible one (in this case,
disabling the button entirely). Since there are plenty of other, more
obvious ways to browse filesystems, this is a very low-impact change.
--
- mdz
More information about the ubuntu-devel
mailing list