Bug#685832: [Pkg-xfce-devel] Bug#685832: xfce4-sensors-plugin: xcfe4-sensors-plugin relies on a setuid hddtemp and recommends to setuid it

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#685832: [Pkg-xfce-devel] Bug#685832: xfce4-sensors-plugin: xcfe4-sensors-plugin relies on a setuid hddtemp and recommends to setuid it

Yves-Alexis Perez-2
On sam., 2012-08-25 at 00:49 +0300, Eddy Petrișor wrote:

> xfce4-sensors-plugin seems to want, although not necessary, to have
> hddtemp
> setuid in the system in order to read the temperature of the HDD. It
> even goes
> to suggest to the user to setuid hddtemp.
>
> But there is an option to fetch hddtemp information without having
> hddtemp
> setuid, to read directly from a local port. This option is now
> disabled at
> buildtime because there is no netcat installed during build.
>
> So I just added netcat as a build depends and the resulting package
> works fine
> and no longer recommends the user the unsafe option of running hddtemp
> setuid.
>
Note that it also silently breaks for users which don't have hddtemp
running as a root daemon, which is not a really nice solution either.
--
Yves-Alexis

signature.asc (501 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#685832: [Pkg-xfce-devel] Bug#685832: xfce4-sensors-plugin: xcfe4-sensors-plugin relies on a setuid hddtemp and recommends to setuid it

Eddy Petrișor
2013/5/29, Yves-Alexis Perez <[hidden email]>:

Hi Yves-Alexis,

> On sam., 2012-08-25 at 00:49 +0300, Eddy Petrișor wrote:
>> But there is an option to fetch hddtemp information without having
>> hddtemp
>> setuid, to read directly from a local port. This option is now
>> disabled at
>> buildtime because there is no netcat installed during build.
>>
>> So I just added netcat as a build depends and the resulting package
>> works fine
>> and no longer recommends the user the unsafe option of running hddtemp
>> setuid.
>>
> Note that it also silently breaks for users which don't have hddtemp
> running as a root daemon, which is not a really nice solution either.

Does my patch work if hddtemp is not running as a root daemon?

My original bug report was about the fact the Debian package could be
built so it is more secure by default and doesn't suggest
security-problematic ideas to the user.
You forwarded another related issue to upstream (warning always on
start), but if the package is built with netcat installed, the warning
issue would be mitigated for all Debian users.

Since you are in the Uploaders list for this package and I am
wondering, could you apply the patch I sent and upload a new version?

--
Eddy Petrișor


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]