Bug 216796

Summary: kdesu asks for password and accepts any even if sudo doesn't require password this minute
Product: [openSUSE] openSUSE 11.0 Reporter: edwin schepers <yez>
Component: KDE3Assignee: Lubos Lunak <llunak>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Major    
Priority: P2 - High CC: andreas.hanke, carlosflange, kittkowske, linux, marcel, maximilian_bianco, mike_wells, rastislav.krupansky, scott, security-team
Version: RC 1   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description edwin schepers 2006-10-31 21:18:46 UTC 
Hi,
On a previous beta1 installation, I got the message "conversation with su failed" when I rmb on the time and "Adjust Date & Time" and entered the password.
This installation, the first time I have to provide a correct password. But when I close the dialog, and select "Adjust Date & Time" again, an empty password will open the dialog. Also then, I'm able to start yast2 in "administrator"-mode without having to apply a correct password.

Regards,
Edwin
Comment 1 Andreas Hanke 2006-10-31 23:22:05 UTC 
This is not a bug. kdesu now uses sudo instead of su for authentication (btw. this caused the other, old, unrelated and since long fixed conversation problem).

Since what you describe is expected behaviour with sudo => not a bug IMHO.
Comment 2 edwin schepers 2006-11-01 08:32:32 UTC 
Hi Andreas,
If it is, then it doesn't seem right to me that I get a popup the 2nd time to provide the root's password.
In this popup, it doesn't matter what I fill in, I will get the root access (very confusing).

Moreover, if this is the intended functionality, I would expect a checkbox which says "remember password".

At last, it also doesn't seem right to me that I don't have to provide the root's password anymore to get root's access to yast2 if I started (and closed!) the "Adjust Date & Time" before. If I don't close the "Adjust Date & Time", I'll have to provide a correct password to yast2.

Regards,
Edwin
Comment 3 Stephan Binner 2006-11-07 16:44:33 UTC 
The password is only not required for 5 minutes unless overridden otherwise in /etc/sudoers
Comment 4 edwin schepers 2006-11-08 20:51:44 UTC 
Hello Stephan,
The new subject ("kdesu asks for root password even if not required") is a concern, but I'm more concerned about the buggy functionality described in the 3rd paragraph of my comment.
Moreover, it doesn't seem right to me that an ignorant user gets root's acces by default of a program (in this case yast2) if he/she left another app (adjust date&time) with root's access.
Comment 5 Stephan Kulow 2006-11-09 08:41:48 UTC 
If you're concerned about this, then deinstall sudo. KDE only offers a wrapper around that functionality
Comment 6 Rebecca Walter 2007-01-04 09:14:04 UTC 
I was about to file a similar bug report because I find it very worrying that I can start YaST as root without it prompting for the password.  I think this is a security risk.  In the past I haven't worried about letting someone here at home borrow my desktop for a few mins if not connected to SUSE because I knew they couldn't do anything dangerous.  When this person doesn't know how to use a command line, I also don't have to worry about the fact that my user is allowed to use sudo.  But now you are telling me that if I've used YaST recently or anything else requiring root access I do have to worry.  And nothing warned me of this.  I consider this a significant change of behavior that both is unexpected and without warning.
Comment 7 Marcel Hilzinger 2007-01-08 09:51:49 UTC 
I completely agree with Rebecca: To make such a fundamental change without any documentation is a bad idea. Consider to add this to the release notes, if there will be a new version.

Furthermore: sudo should not survive a logout/login. But with actual setup you still can start YaST without root Passwort after logout/login from KDE.
Comment 9 Stephan Binner 2007-05-06 10:01:28 UTC 
*** Bug 271738 has been marked as a duplicate of this bug. ***
Comment 10 Thomas Biege 2007-09-13 12:45:27 UTC 
*** Bug 308969 has been marked as a duplicate of this bug. ***
Comment 11 Stephan Binner 2007-10-24 07:05:52 UTC 
*** Bug 336204 has been marked as a duplicate of this bug. ***
Comment 13 Stephan Binner 2007-11-26 09:12:37 UTC 
*** Bug 343889 has been marked as a duplicate of this bug. ***
Comment 14 Mike Wells 2007-11-26 10:21:02 UTC 
This is absolutely unbelievable and at the same time totally unacceptable. To make a root security change without any feedback to the openSUSE user community is beyond comprehension and escapes all logic! It would appear (at least to the "outsider") that a good many persons in R&D are taking leave of their senses! Comment #13 belongs to me and I discovered this problem while spending a considerable amount of time trying to get into CUPS (which btw, I still can not) by doing password changes in YaST. Seems like a case of "playing God" to me just so that some people can get off on the fact that they have the power to make a change of this magnitude with no warning to the user whatsoever!

Hey, you couldn't even take the few minutes required to make a change to the password authentication dialog and update the title bar from "KDE su" to "KDE sudo". What a pity. Guess we had to use those precious minutes stuffing useless KDE4 previews into the 10.3 DVD iso.

Seems to me that someone high up on the food chain at Novell/SUSE needs to start paying attention to the feedback you are getting from your user community. Especially where bugs like this one are concerned.

10.3 in my estimation is by far the best yet (have been "here" since 9.1) but it appears that words like "quality", "stability", "usability" and "functionality" are quickly disappearing from the R&D dictionary.

Now with respect to Mr. Kulow's sordid statement in comment #5; mind reading is not free Mr. Kulow. Go figure!
Comment 16 Lubos Lunak 2008-04-28 15:50:36 UTC 
Kdesu backend has been switched back from kdesu to su, so there will be no implicit password caching, there is a checkbox.
Comment 17 Lubos Lunak 2008-05-02 13:02:45 UTC 
*** Bug 340311 has been marked as a duplicate of this bug. ***
Comment 18 Lubos Lunak 2008-05-02 13:06:05 UTC 
*** Bug 346759 has been marked as a duplicate of this bug. ***
Comment 19 Lubos Lunak 2008-05-23 16:09:37 UTC 
*** Bug 387644 has been marked as a duplicate of this bug. ***
Comment 20 Scott Couston 2008-05-24 07:47:52 UTC 
ATTN # security-team@suse.de

Please consider restricted access view of this bug issue from non email recipients before google indexes this whole matter ;-)

http://www.google.com.au/search?q=andreas.hanke&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-GB:official&client=firefox-a
Comment 21 Marcus Meissner 2008-05-24 11:31:11 UTC 
bugzilla.novell.com/robots.txt has Disallow: /  ... so dont worry.

I see the issue has been resolved, so there is no need for further action.

Securuity discussions shouldnt be held behind closed doors either, so people can check rationales, concerns, discussions and explanations.
Comment 22 Lubos Lunak 2008-05-27 09:02:23 UTC 
#20, #21: There is no security issue. It works normally like sudo, except for the unneeded password prompt.
Comment 23 Lubos Lunak 2008-05-27 09:03:12 UTC 
Reopening, I somehow forgot to remove the configure option actually switching the default back to su when submitting.
Comment 24 Lubos Lunak 2008-05-27 09:38:56 UTC 
Fixed package submitted.
Comment 25 Lubos Lunak 2008-05-30 13:44:45 UTC 
Reopening again, the fix is not going to make it to 11.0 GM.
Comment 26 Lubos Lunak 2008-06-27 09:59:46 UTC 
This one has made it into 11.0 final after all.
Comment 27 Scott Couston 2008-06-27 10:11:25 UTC 
RE #26 I assume this means that this IS resolved in 11.0GM
and NOT
The bug is present in 11.0GM
IF not
Please add comments if this comment is NOT accurate....cheers :-)