ktsuss 1.2 released

David B. Cortarello nomius at users.berlios.de
Tue Sep 11 03:57:09 CEST 2007

Tim, thanks for the feedback. I missed a setuid() and a setgid() call
in the auth code, sorry about that. I only tried it running
applications as root, so that passed me by.
This is an ugly fix, but works for now. Add this code before the crypt call:

if(setuid(pw->pw_uid) && setgid(pw->pw_gid))
    exit(3+0*fprintf(stderr, "I'm not setuid\n"));

The fact is that there was a part of the code to run applications as
another user beside of root, but wasn't completely done, then I made
some mistakes.
Anyways, the code is fixed now in my darcs server, but I don't like to
much how I fixed it, as you can see a setuid(0) and then
setuid(pw->pw_uid) isn't a good security approach, I have to be
completely sure that the code is secure to do that, so I'll have to do
some testings first.
Maybe I can do it the other way around, running a backend
authentication as setuid and do the whole authentication and launching
there, that I think will be more secure, and of course, it will allow
me to code a keyring easier too (but ain't gonna happen soon as I have
to finish other projects before).

On 9/10/07, Tim Tassonis <timtas at cubic.ch> wrote:
> David B. Cortarello wrote:
> > I spoke here once about ktsuss (a graphical version of su) as an
> > alternative to gksu.
> > Today I just released version 1.2. If anyone wants to download it,
> > this is the place to do it:
> > http://developer.berlios.de/projects/ktsuss
> >
> > Suggestions, bug reports, etc are welcome.
> >
> Thanks a lot for the software, I just downloaded it and ran it. But I'm
> not quite sure what it does...
> When I run
> ktsuss id
> and provide the credentials "timtas/password", the output is:
> uid=0(root) gid=1000(timtas) groups=4(adm),..,119(fuse),1000(timtas)
> , e.g. the groups of user timtas.
> The uid is however root, which surprises me, as I specified "timtas" as
> userid.
> So, I'd like to know what happens here. Unfortunately, there is no
> documentation whatsoever (apart from the source code...).
> But
> _______________________________________________
> Xfce4-dev mailing list
> Xfce4-dev at xfce.org
> http://foo-projects.org/mailman/listinfo/xfce4-dev

David B. Cortarello <nomius`at`users`dot`berlios`dot`de>
Weblog: http://nomius.blogspot.com
Kwort Linux: http://www.kwort.org
Jabber: nomius at jis.mit.edu

"Computer science is no more about computers than astronomy is about
telescopes." - Edsger Dijkstra

More information about the Xfce4-dev mailing list