blob: 04c3e1b4e4b83ffb575abbc0e8f535341a3c8133 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
klaptopdaemon and SUID permissions
----------------------------------
To allow ordinary users to control certain power management features,
klaptopdaemon's panel in the Trinity Control Center has a button which prompts
the user to enter the root password (Trinity Control Center --> Power Control
--> Laptop Battery, then the ACPI Config tab, then the Setup Helper
Application button). This button changes the permissions of
/usr/bin/klaptop_acpi_helper from "0755 root.root" to "6755 root.root",
and therefore grants all regular users extra power management abilities.
This has obvious security implications, and should not be done on any
system where all users are not trusted absolutely.
The standard klaptopdaemon changes the binary's permissions using chmod.
However, if an updated version of the Debian klaptopdaemon package
were then to be installed, it would reset the permissions, forcing the
sysadmin to reconfigure after each upgrade.
The Debian package has therefore been patched to use dpkg-statoverride to
permanently change the permissions of /usr/bin/klaptop_acpi_helper. The
override is removed and permissions reset if the package is removed or
purged. However, if the sysadmin wishes to remove the special permissions
of /usr/bin/klaptop_acpi_helper, they can do so at any time by issuing,
as root, the following commands:
dpkg-statoverride --remove /usr/bin/klaptop_acpi_helper
chown root:root /usr/bin/klaptop_acpi_helper
chmod 0755 /usr/bin/klaptop_acpi_helper
|