>
> On Fri, 24 Dec 1999, John Summerfield wrote:
>
> > > I have recently upgraded some machines to RH 6.1 and have noticed an
> > > alarming tendency for dialog boxes to appear saying please type the
> > > root password.
> > >
> > > This really is not acceptable. Any old trojan horse program can do this
> > > and get the password. It may be designed to make things easier for
> > > new users, but they need to understand about su/logging in as root.
> > >
> > > I have come across it on kppp (amazingly, even if you make it suid root!)
> > > which does not need to run as root (eg as in 6.0) and gnorpm (which means
> > > you get this just by inserting a RH CD in gnome).
> >
> > I've been seeing this when I login and the dialogue box doesn't even
> > indicate what's asking!!
> >
> > Coupled with a few other things, it's almost enough to make me remove
> > gnome (I I tend to use kde more anyway).
>
> To clarify things, this is a Red Hat'ism (forgive the wording) -- i.e. Red
> Hat Linux 6.1 has wrapped some programs that need to be run as root
> through consolehelper, regardless if they're console, KDE or GNOME
> programs. It's just coincidence that the wrapper is a gtk/gnome program.
Well I am inclined to report this as a bug with major security implications.
As far as I can see it is only acceptable to be asked for a root password
if you have explicitly requested root access (eg su or login). Adding a
graphical way of requesting root access (eg a program called [gxk]root say
that simply produced a menu of programs that would then be run as root)
could be acceptable, but producing unrequested root password requests
is not acceptable, indeed is a major security problem.
Justin
--
To unsubscribe:
mail -s unsubscribe [EMAIL PROTECTED] < /dev/null
