Re: SuSE Linux K-Menu YAST Control Center Priviledge Escalation Vulnerability

[Matthias Leisi <matthias@xxxxxxxxx>]

Radoslav Dejanović wrote:

> It does pose some risk, 
> however, for it might allow unprivileged user to take a look at some data 
> that should be hidden from the user (for example, you can look at firewall 
> settings but can't make changes). 

But if the user is allowed to read this file (eg. somewhere in /etc) 
through Yast, then he can read it anyway, let's say through less.


> On the other hand, you can start yast from console with -firewall switch 
> and have a peek at the settings (still can't make changes), so this isn't 
> KDE fault but flaw in yast itself. It would be wise to add some paranoia 
> to yast so it won't show sensitive data to unprivileged user.   

Which is a bad idea, since it merely hides the problem.

-- Matthias

--
Brain-Log                               http://matthias.leisi.net/