[Debian-olpc-devel] Bug#481581: Bug#481581: sugar: Sugar can power down the computer

patrick at koumbit.org patrick at koumbit.org
Sat May 17 22:53:15 UTC 2008

> I decided to toy around with Sugar a bit to see what it's all about, and
> apt-get installed sugar. When clicking on "shutdown" in the context
> menu, I was surprised to see that my computer actually shut down,
> despite /usr/bin/sugar* not carrying any s(u|g)id bit. Given that
> /sbin/halt refuses to be run by an ordinary user, where does Sugar
> get the privileges from?

The shutdown is done by HAL "power management" interface called by dbus.

>  In any case, it shouldn't have that privilege
> since malicious softare could exploit it to power down the computer.
> Security policies shouldn't appear as inconsistent as they do in this
> case.

We could replace shutdown by logout. I've created a quick little patch
that add "logout" to the menu and allow us to return to gdm/kdm/xdm.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logout.patch
Type: text/x-patch
Size: 1189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/debian-olpc-devel/attachments/20080517/21903f6d/attachment.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Ceci est une partie de message
	=?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=
Url : http://lists.alioth.debian.org/pipermail/debian-olpc-devel/attachments/20080517/21903f6d/attachment.pgp 

More information about the Debian-olpc-devel mailing list