! Please note that this is a snapshot of our old Bugzilla server, which is read only since May 29, 2020. Please go to gitlab.xfce.org for our new server !
xfce pol kit lets others sneak in
Status:
RESOLVED: INVALID
Priority:
Medium
Severity:
normal
Product:
Xfce4-session
Component:
General

Comments

Description Todd 2019-04-17 22:39:42 CEST 
Fedora 29
Xfce 4.13

Dear Xfce,

Whenever I put the root password into xfce Pol kit, I can run other root programs for about 10 seconds after the first Pol Kit prompt without having to enter root's password again.  This give me the creeps.

For instance qemu-kvm's "virt-manager" pops a xfce pol kit prompt but flies right through if I have enter the pol kits root password somewhere else within the last 10 seconds.

Please fix.  This is pretty big security hole.

Many thanks,
-T
Comment 1 Andre Miranda editbugs 2019-04-18 04:16:22 CEST 
xfce-polkit is not an official component, you should report at https://github.com/ncopa/xfce-polkit
Comment 2 Todd 2019-04-18 04:36:25 CEST 
Hi Andre,

That I did not know.  

Thank you for the link!  It make it really easy to report.

xfce pol kit lets others sneak in:
https://github.com/ncopa/xfce-polkit/issues/5

-T

Bug #15298

Reported by:
Todd
Reported on: 2019-04-17
Last modified on: 2019-04-18

People

Assignee:
Xfce Bug Triage
CC List:
1 user

Version

Version:
Unspecified
Target Milestone:
Xfce 4.14

Attachments

Additional information