Bug 271738

Summary: GUI root access is available without password - KDE
Product: [openSUSE] openSUSE 10.2 Reporter: Scott Couston <scott>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED DUPLICATE QA Contact: E-mail List <qa-bugs>
Severity: Critical    
Priority: P5 - None    
Version: Final   
Target Milestone: ---   
Hardware: i586   
OS: Other   
Whiteboard:
Found By: Customer Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Scott Couston 2007-05-06 01:00:15 UTC 
1. Open Yast >Prompt for root password
2. supply correct password > Yast opens
3. Close Yast
4. Open Yast >prompt for password
5. Enter nothing in password field and click on "Tick" >Full access to all Yast applications is possible.


100% re-producible.

The only way to safeguard root access to applications that re-quire it is to logout and start new session.

I registered this as a bug as I decided that this should not happen. If the user is only required to enter root password once per GUI session there is no point in requesting the password for subsequent access and it leaves a GUI session with root access until the session is terminated and conceivably this could be days-weeks in the case of a Workstation providing File/Print services.

There may be a time limiting factor when the password is required per same session, however this has not been observed during relatively short test session.

IF you
1. Open any other application that requires root password.
2. Enter nothing as password > The application will be opened.
3. Close other root application 
4. Root password is NOW required by any application that requests it.

100% re-producible.

It may be possible that this sequence of events are functioning as designed - If this is the case please close-wontfix.
Comment 1 Scott Couston 2007-05-06 02:19:26 UTC 
Further testing indicates there to be a time-out parameter set that runs aprox 45mins??? in which the access to the application WILL require a password to be entered. This expiry period of access to an application appears to be slightly different in actual time - possible due to availability of processor time and the presence of other scheduled jobs that are time-initiated. The variance could be attributed to tasks taking different periods of time to complete dependant on resources. This time difference tested on 2 dissimilar resourced workstations is only a matter of minutes.

Conclusion: Discussions needed as to the acceptability of grace login without password for SU access - possibly functioning as designed > Agree > Question validity of argument > False.

Again 100% re-producible
Comment 2 Stephan Binner 2007-05-06 10:01:28 UTC 

*** This bug has been marked as a duplicate of bug 216796 ***
Comment 3 Scott Couston 2007-05-06 18:05:02 UTC 
Sorry for reproduction - search did not include BETA1 outstanding bugs yet to be resolved.