ksmarttray and updates

[Basil Chupin]

Christoph Thiel wrote:
> On Thu, 10 Aug 2006, Basil Chupin wrote:
> 
>> I didn't miss the "s"; I know that you mentioned it in your earlier 
>> message. But I didn't refer to it (I should have) because I was thinking 
>> about your inability to have the icon blinking unless you did the suid 
>> "fix" whereas mine blinks without me touching anything.
>>
>> However, I will restate what I stated earlier - and I hope that the 
>> authors of smart take note - that a user should NOT be allowed to 
>> upgrade the system and therefore, even if a root does alter the 
>> permissions of the file as you have, there should be a check done to 
>> disallow an update if it is being done without first having to enter the 
>> root password.
>>
>> I would consider this as a SECURITY HOLE for any Linux system using 
>> smart.
> 
> This is not the default set of permissions for smart. Which package are 
> you using? On SUSE the permissions for smart-update read:
> 
> -rwxr-xr-x 1 root root 8393 Aug  6 14:18 smart-update
> 
> 
> Regards
> 	Christoph

The permissions for what I have installed are:

-rwxr-xr-x 1 root root 4464 Aug  7 01:25 smart-update

and I am using the 0.42-5 package but if you are talking to Stephen, who 
is the one who has used suid on smart-update, then you will have to ask 
him because I don't know which version he is using.

But as soon as I sent my message I realised that there is really very 
little one can do about stopping the root from fiddling with files and 
making then writable/executable by a user. If the root is silly enough 
to do this and permit a user to, say, upgrade the system then it really 
is his/her problem and s/he has to wear the consequences; and the 
author(s) of the software have little or no control over this (in the 
open source environment).

Cheers.

-- 
This computer is environment-friendly and is running on OpenSuSE 10.1