Differential D4735

[SECURITY] Do not assume that kdesu is in PATH for user actions
ClosedPublic
Actions

Authored by palant on Feb 23 2017, 9:57 AM.

Details

Reviewers
abika
Group Reviewers
Krusader
Commits
R167:6595205d1d6d: Do not assume that kdesu is in PATH for user actions
Summary

This is a follow-up to D4725. User actions currently don't rely on the configured path for kdesu but simply assume that it is in PATH. This is a usability issue (kdesu is not in PATH on Ubuntu by default) but there is also a security impact: a malware application running with user's privileges can manipulate PATH to make sure its own kdesu look-alike gets executed for Krusader user actions. This allows the malware to steal the sudo password and to seize full control over the computer.

With this patch KrServices::fullPathName("kdesu") is used for the kdesu path, with the changes in D4725 this path is compiled into Krusader and cannot be manipulated. While at it, I also added proper feedback if kdesu cannot be found.

Diff Detail

Repository
R167 Krusader
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.
palant created this revision.Feb 23 2017, 9:57 AM
palant created this object with visibility "Krusader (Project)".
palant created this object with edit policy "Krusader (Project)".
palant updated this revision to Diff 11893.Feb 27 2017, 12:35 PM
palant changed the visibility from "Krusader (Project)" to "Public (No Login Required)".
palant changed the edit policy from "Krusader (Project)" to "All Users".

I updated this patch for changes in D4725 and improved the error message while at it. Now it should be obvious to the user where kdesu is expected to be.

abika accepted this revision.Feb 27 2017, 3:54 PM
abika added a subscriber: abika.

Thanks!

This revision is now accepted and ready to land.Feb 27 2017, 3:54 PM
Closed by commit R167:6595205d1d6d: Do not assume that kdesu is in PATH for user actions (authored by palant). · Explain WhyFeb 28 2017, 12:22 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

PathPackages
Mkrusader/UserAction/kraction.cpp (20 lines)

Diff 11946

View Options

krusader/UserAction/kraction.cpp

Loading...