[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Possible security issue with --description

From: mihai z
Subject: Possible security issue with --description
Date: Thu, 21 Feb 2008 10:21:10 -0800 (PST)

The --description option allows you to show a random string instead of the command you are executing. This could facilitate an elevation of privilege for an application that has normal user rights. It can do this by modifying menu entries that use gksu to launch applications with administrative rights. When prompted with the gksu dialog you will see only the provided description, not the command you are running.
In Ubuntu 7.10 I am able to modify the menu entry for Synaptic Package Manager with normal user rights from
gksu /usr/sbin/synaptic
to something like
gksu --description synaptic /home/user/.sinaptic
, where the .sinaptic script runs some "evil code" and starts the real synaptic.
I propose to show the command gksu is running even if you have a description. Of course, the complete solution probably should include having those menu entries read-only for a normal user, but that is probably a gnome issue.

, Mihai Varzaru

Never miss a thing. Make Yahoo your homepage.
reply via email to

[Prev in Thread] Current Thread [Next in Thread]