aru Posted March 12, 2003 Report Share Posted March 12, 2003 MandrakeSoft Security Advisory MDKSA-2003:031 : usermode March 12th, 2003 Updated usermode packages remove insecure shutdown command The /usr/bin/shutdown command that comes with the usermode package can be executed by local users to shutdown all running processes and drop into a root shell. This command is not really needed to shutdown a system, so it has been removed and all users are encouraged to upgrade. Please note that the user must have local console access in order to obtain a root shell in this fashion. The released versions of Mandrake GNU/Linux affected are: 8.1 [*] 8.1/IA64 [*] 8.2 [*] 8.2/PPC [*] 9.0 [*] Multi Network Firewall 8.2 [*] Corporate Server 2.1 All the information about this advisory is available at: www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:031 This stuff was posted automatically by aru Quote Link to comment Share on other sites More sharing options...
aru Posted March 13, 2003 Author Report Share Posted March 13, 2003 Before thinking of following this Mandrake advisory I strongly recommend you to take a look to ndeb's related post: http://www.mandrakeusers.org/viewtopic.php?t=3626 Quote Link to comment Share on other sites More sharing options...
aru Posted March 14, 2003 Author Report Share Posted March 14, 2003 ndeb's discovered a way to reproduce the error that supposedly the new version of "usermode" had fixed: I checked that the mandrake-9.0 security update in http://www.mandrakesecure.net/en/advisorie...=MDKSA-2003:031 does NOT fix the bug. After applying these updates on mandrake-9.0, just run (as non-root user) ln -s /usr/bin/consolehelper shutdown in ur home directory and then run ./shutdown now to fix this weird behavior while we wait for a real fix from mandrake (a fix for the binaries "consolehelper" and "userhelper") you can remove the file: /etc/pam.d/shutdown Doing that you'll avoid that userhelper launches shutdown w/o privileges. man consolehelper: consolehelper requires that a PAM configuration for every managed program exist. So to make /sbin/foo or /usr/sbin/foo managed, you need to create a link from /usr/bin/foo to /usr/bin/consolehelper and create the file /etc/pam.d/foo, normally using the pam_console(8) PAM module. HTH PS: only tested in my system Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.