Ubuntu
kdebase package

kdesu accept any password

Bug #88580 reported by Paul Dufresne
256
Affects Status Importance Assigned to Milestone
kdebase (Ubuntu)
Fix Released
Low
Unassigned

Bug Description

Binary package hint: kdebase

Open a new konsole, and:
paul@paul-Caspar:~$ kdesu whoami
[entered random password, then clicked Ok]
X Error: BadDevice, invalid or uninitialized input device 169
  Major opcode: 145
  Minor opcode: 3
  Resource id: 0x0
Failed to open device
X Error: BadDevice, invalid or uninitialized input device 169
  Major opcode: 145
  Minor opcode: 3
  Resource id: 0x0
Failed to open device
root
paul@paul-Caspar:~$

I was expecting a window message telling me my password was wrong, and not getting the result of
whoami, rather than finding that I am root.

sudo whoami work as expected.

||/ Nom Version Description
+++-==============-==============-============================================
ii kdebase-bin 3.5.6-0ubuntu1 core binaries for the KDE base module

Revision history for this message
Brian Murray (brian-murray) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. I am unable to reproduce this using kdebase-bin version 3.5.6-0ubuntu12. Was your version information truncated or do you have an older version of kdebase-bin installed? Thanks in advance.

Changed in kdebase:
assignee: nobody → brian-murray
status: Unconfirmed → Needs Info
Revision history for this message
Paul Dufresne (paulduf) wrote :

It seems to not be as easy as I said to reproduce.
Same version as you, the 2 was truncated.

I had try many times, and was about to say that I was unable to
reproduce it after rebooting the computer. But I finally was able.

I begin to wonder if my bug that make adept-updater crash
does not make it happen.

Even after doing kdesu -s to stop kdesud, does not stop the
bug from happening each time (once activated, not sure yet
how).

If that helps:
paul@paul-Caspar:~/arts_crash2$ ps -eH|grep kdesu
paul@paul-Caspar:~/arts_crash2$ kdesu whoami
X Error: BadDevice, invalid or uninitialized input device 169
  Major opcode: 145
  Minor opcode: 3
  Resource id: 0x0
Failed to open device
X Error: BadDevice, invalid or uninitialized input device 169
  Major opcode: 145
  Minor opcode: 3
  Resource id: 0x0
Failed to open device
root
paul@paul-Caspar:~/arts_crash2$ md5sum /usr/bin/kdesud
463ddf9c2fecb9716ffdba91adecb1a3 /usr/bin/kdesud
paul@paul-Caspar:~/arts_crash2$ md5sum /usr/bin/kdesu
2300c07be707ae4ac80a95e5bc8744fd /usr/bin/kdesu
paul@paul-Caspar:~/arts_crash2$

I am not much used to gdb, but I guess I'll try to get some information
on what is going on, while the bug is 'activated', before rebooting and
not take the risk not to be able to reproduce it.

Revision history for this message
Paul Dufresne (paulduf) wrote :

Weird, it had stop to do the bug everywhere, a bit after loading
a new konsole program.

I'll attach my .xsession-errors, if that helps.

Revision history for this message
Paul Dufresne (paulduf) wrote :

Sometime, rather than opening the dialog window,
'kdesu whoami' hang (stop doing apparently nothing),
then a ps -eH shows that kdesu have spawned a
kdesu_stub, what is that? It seems to have been in
this case that kdesu bug have activated, and deactivated.

Revision history for this message
Paul Dufresne (paulduf) wrote :

Ok, I think I understand 'my error'. Here is my hypothesis:

Once you give your password, it is recalled somewhere for some
time. And it seems not to be in kdesud like man kdesu suggest
(saying that kdesu -s kill kdesud, so forgetting all passwords).

So by using adept-notifier, I had given my password, and from there,
the window on kdesu whoami is still shown, but whatever you type
in for the password, is not tested but used the magical somewhere
memory.

Still, I expect kdesu should not to ask the password,
when it is recalled, that would be less confusing.

Brian Murray (brian-murray)
Changed in kdebase:
assignee: brian-murray → nobody
importance: Undecided → Low
status: Needs Info → Confirmed
Revision history for this message
Martin Pitt (pitti) wrote :

I just tried kdesu the first time for testing the sudo changes in bug 8556 and this is absolutely mad. I gave my password to kdesu exactly once, and from now on it accepts any password, even after I closed my session, killed all processes of mine (including kdesud) and restarted it. This needs to be fixed ASAP.

Changed in kdebase:
assignee: nobody → jr
importance: Low → Critical
Revision history for this message
Martin Pitt (pitti) wrote :

Ah, sorry for panicking. That's sudo's fault, timestamps survive session restarts.

Changed in kdebase:
assignee: jr → nobody
importance: Critical → Low
m305o (cipollina)
Changed in kdebase:
assignee: nobody → cipollina
Revision history for this message
Paul Dufresne (paulduf) wrote :

Hi m305co, you seems new here on Launchpad.
Please, do not assign yourself on bugs, at least until you join the BugSquad team, or a developer team.
I am un-assigning m305o, as he/she is not a member of any Launchpad team, so I don't see how he/she could commit a fix for my bug.

Changed in kdebase:
assignee: cipollina → nobody
Revision history for this message
Jonathan Thomas (echidnaman) wrote :

Doesn't seem to be an issue at all anymore in Intrepid.

Changed in kdebase:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.