Bug#1011624: kdesu: kdesu fails to authenticate with sudo from testing/unstable

To: Aurélien COUDERC <libre@coucouf.fr>
Cc: 1011624@bugs.debian.org, Rik Mills <rikmills@kde.org>, 1011624-submitter@bugs.debian.org
Subject: Bug#1011624: kdesu: kdesu fails to authenticate with sudo from testing/unstable
From: Marc Haber <mh+debian-packages@zugschlus.de>
Date: Wed, 1 Jun 2022 12:40:03 +0200
Message-id: <YpdCA/5i7iDBW8Du@torres.zugschlus.de>
Reply-to: Marc Haber <mh+debian-packages@zugschlus.de>, 1011624@bugs.debian.org
In-reply-to: <[🔎] 2d6c4ea8-3e39-85d8-704a-733c2c2b3a66@coucouf.fr>
References: <4e568a1d-ef7e-87b1-060d-e39809083ebe@kde.org> <4e568a1d-ef7e-87b1-060d-e39809083ebe@kde.org> <Yo+KJjZQ4lRsq+oF@drop.zugschlus.de> <[🔎] 2d6c4ea8-3e39-85d8-704a-733c2c2b3a66@coucouf.fr> <4e568a1d-ef7e-87b1-060d-e39809083ebe@kde.org>

On Wed, Jun 01, 2022 at 12:35:01PM +0200, Aurélien COUDERC wrote:
> Le 26/05/2022 à 16:09, Marc Haber a écrit :
> > On Wed, May 25, 2022 at 01:58:58PM +0100, Rik Mills wrote:
> > > The issue can be worked around by adding /etc/sudoers.d/kdesu with the
> > > contents
> > > 
> > > Defaults!/usr/lib/*/libexec/kf5/kdesu_stub !use_pty
> > 
> > kdesu is cordially invited to ship that file in the package, fixing the
> > issue for everybody. Please add a comment with the reference to this bug
> > report and remove the file once kdesu was fixed upstream.
> 
> kdesu is now cordially shipping the file in the package. :-)

;-)

> Would you mind to comment why this is OK from a security perspective ?

There is a discussion in the KDE bug ticket that seems to make sense to
me. kdesu is exploiting a vulnerability in sudo that we fixed by forcing
the pty. If we don't want to lose kdesu's functionality, we need either
fixing kdesu so that is uses "legal" methods to use sudo, or we need to
re-open the vulnerability to allow unmodified kdesu to work.

This is kdesu's vulnerability now ;-)

I would love to see kdesu fixed in some future, so that the "insecure"
sudo rule can be removed. It would be an idea to ship the file with the
rule commented out by default so that every local admin can cause their
own vulnerability, but that'd probable cause a new avalanche of "kdesu
broken" bug reports.

> I’m no security expert at all but if I read the CVE description correctly,
> the issue is with the su'ed command being able to escape the su user
> session.
> Is it OK in this case because kdesu is used to gain root from non-root and
> so escaping the su session only gives you back the original non-root user
> rights ?

I hope that other people can comment on that, I would need to ponder
about that for some time.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421

Reply to:

References:
- Bug#1011624: kdesu: kdesu fails to authenticate with sudo from testing/unstable
  - From: Aurélien COUDERC <libre@coucouf.fr>

Prev by Date: Bug#1011624: kdesu: kdesu fails to authenticate with sudo from testing/unstable
Next by Date: Processing of knewstuff_5.94.0-2_source.changes
Previous by thread: Bug#1011624: kdesu: kdesu fails to authenticate with sudo from testing/unstable
Next by thread: Processing of knewstuff_5.94.0-2_source.changes
Index(es):
- Date
- Thread