-
Notifications
You must be signed in to change notification settings - Fork 165
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security hole: CORE gives root access to ordinary users #75
Comments
This has been raised in the mailing list here and is being discussed. I am not sure there is any easy way around this but I am not one of the developers just a small contributor. Hopefully a way can be found to keep it in. |
Thanks for your reply Stuart. I will wait for a decision. No matter what the circunstances, if no Regards, Eriberto 2015-10-11 18:55 GMT-03:00 stuartmarsden [email protected]:
|
The GUI loophole is a byproduct of using vcmd, which provides root access within nodes. If vcmd was locked down to only be ran by sudo, would that solve this problem? |
Em qua, 5 de jun de 2019 às 17:59, bharnden <[email protected]>
escreveu:
The GUI loophole is a byproduct of using vcmd, which provides root access
within nodes. If vcmd was locked down to only be ran by sudo, would that
solve this problem?
Hi @bharnden,
Thanks for your help. No, it don't solve the issue because a student will
can access the main system in a university.
Regards,
Eriberto
|
You realise that OpenVPN has exactly the same issue .. |
Has any work or investigation for this been done since the issue was created? I tried a couple links to email threads while trying to understand the history or if there were short-term patches that could be applied, but a good chunk of the links don't appear to be working after 7 years. On a side note, this is a serious enough security problem that CORE maintainers may want to recharacterize this as a bug rather than an enhancement. |
Hi,
I am the Debian maintainer of CORE. Recently, a bug opened[1] in Debian told us about a privilege escalation via core-gui.
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=799756
This issue will cause the CORE removal from Debian in some days[2].
[2] https://udd.debian.org/cgi-bin/autoremovals.cgi
To break the removal, I need upload a fix. It can be a patch or a new version. So, I would like to ask: is there a solution for this issue?
Thanks a lot in advance.
Regards,
Eriberto
The text was updated successfully, but these errors were encountered: