ksmarttray and updates
Basil Chupin
blchupin at tpg.com.au
Thu Aug 10 00:56:35 PDT 2006
Stephen Boddy wrote:
> On Wednesday 09 August 2006 17:12, Basil Chupin wrote:
>> Stephen Boddy wrote:
>>> Hello Basil, fancy meeting you here :-D
>>>
>>> I'm curious what the permissions are on your smart-update binary. It
>>> appears that by setting mine to setuid I can run smart as a regular user
>>> and get the blinky icon and it works how I want it to. i.e.
>>>
>>> # ls -la `which smart-update`
>>> -rwsr-xr-x 1 root root 4464 Jul 30 18:09 /usr/bin/smart-update
>>>
>>> This is the command that ksmarttray runs every five minutes. This is a
>>> small wrapper program for running "smart update --after 60", which will
>>> only perform the update if it has been at least 60 minutes since the last
>>> update.
>>>
>>> Regards
>> The permissions are no different to what you have:
>>
>> -rwxr-xr-x 1 root root 4464 Aug 7 01:25 smart-update
>>
>> And I haven't touched anything.
>
> Look a little closer Basil. I have set my binary with the suid bit (the s
> in -rwsr-xr-x). I made that change, and it is different to yours. It was the
> only way I could get ksmarttray to perform the channel update, and then
> blink, without running ksmarttray as root.
I didn't miss the "s"; I know that you mentioned it in your earlier
message. But I didn't refer to it (I should have) because I was thinking
about your inability to have the icon blinking unless you did the suid
"fix" whereas mine blinks without me touching anything.
However, I will restate what I stated earlier - and I hope that the
authors of smart take note - that a user should NOT be allowed to
upgrade the system and therefore, even if a root does alter the
permissions of the file as you have, there should be a check done to
disallow an update if it is being done without first having to enter the
root password.
I would consider this as a SECURITY HOLE for any Linux system using smart.
[pruned]
Cheers.
--
This computer is environment-friendly and is running on OpenSuSE 10.1
More information about the Smart
mailing list