[Debian-olpc-devel] Bug#481581: sugar: Sugar can power down the computer

Josef Spillner 2005 at kuarepoti-dju.net
Sat May 17 08:27:08 UTC 2008


Package: sugar
Version: 0.79.4-2
Severity: normal

I decided to toy around with Sugar a bit to see what it's all about, and
apt-get installed sugar. When clicking on "shutdown" in the context
menu, I was surprised to see that my computer actually shut down,
despite /usr/bin/sugar* not carrying any s(u|g)id bit. Given that
/sbin/halt refuses to be run by an ordinary user, where does Sugar
get the privileges from? In any case, it shouldn't have that privilege
since malicious softare could exploit it to power down the computer.
Security policies shouldn't appear as inconsistent as they do in this
case.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.24-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages sugar depends on:
ii  dbus-x11                      1.1.1-3    simple interprocess messaging syst
ii  librsvg2-common               2.18.2-1   SAX-based renderer library for SVG
ii  matchbox-window-manager       1.2-1      window manager for resource-limite
ii  python                        2.5.2-1    An interactive high-level object-o
ii  python-cairo                  1.4.0-2+b1 Python bindings for the Cairo vect
ii  python-central                0.6.6      register and build utility for Pyt
ii  python-dbus                   0.82.3-1   simple interprocess messaging syst
ii  python-gnome2-desktop         2.20.0-1   Python bindings for the GNOME desk
ii  python-gobject                2.14.0-2   Python bindings for the GObject li
ii  python-gst0.10                0.10.11-1  generic media-playing framework (P
ii  python-gtk2                   2.12.0-1   Python bindings for the GTK+ widge
ii  python-hippocanvas            0.2.23-4.1 Python bindings to hippo-canvas
ii  python-numpy                  1:1.0.4-8  Numerical Python adds a fast array
ii  python-simplejson             1.9.1-1    Simple, fast, extensible JSON enco
ii  python-sugar                  0.79.1-1   Sugar graphical shell - core funct
ii  python-sugar-toolkit          0.79.6-2   Sugar graphical shell - core widge
ii  python-telepathy              0.15.0-1   python language bindings for telep
ii  telepathy-gabble              0.7.5-2    Jabber/XMPP connection manager
ii  telepathy-salut               0.3.1-1    Link-local XMPP connection manager
ii  telepathy-stream-engine       0.5.2-1    stream handler for the Telepathy f

Versions of packages sugar recommends:
ii  gstreamer0.10-plug 0.10.8-2              GStreamer plugins from the "good" 
ii  net-tools          1.60-17.2             The NET-3 networking toolkit
ii  network-manager    0.6.5-3               network management framework daemo
ii  sugar-artwork      0.79.2-2              Sugar graphical shell - artwork
ii  x11-xserver-utils  7.3+1                 X server utilities
ii  xbase-clients      1:7.3+3               miscellaneous X clients - metapack
ii  xserver-xephyr     2:1.4.1~git20080131-3 nested X server

-- no debconf information





More information about the Debian-olpc-devel mailing list