Jordan Pilat wrote:
>A vulnerability exists in the implementation of
>placing the SuSE YAST Control Center in the K Menu.
>Normally, one would be required to authenticate as
>root before being granted access to the YAST Control
>Center. When placing the 'preferences' submenu in
>the K Menu (in the 'submenu' section under the
>'Menus' tab of the K menu panel preferences),
>however, one can not only access, but make changes to
>the options in the YAST control center without having
>to authenticate as root.
>
>
You can change options, but cannot save them or install software. It
will fail silently, or with dubious error messages.
I experienced this after upgrading, when I suddenly was not able to
change network settings or install new packages when starting the yast
modules from the K-menu. I first thought that graphical yast was broken
until I realized that it never asked me for a root password.
So it's not so much a security bug as just a normal usability bug. It's
just useless to start yast without root privileges.
Stefan Seifert
Received on Aug 07 2004
Intro
