445139 – User with blank password can change Network config in gnome GUI without root password

Bug 445139 - User with blank password can change Network config in gnome GUI without root password

Summary: User with blank password can change Network config in gnome GUI without root ...

Keywords:
Status:	CLOSED INSUFFICIENT_DATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	usermode
Sub Component:
Version:	8
Hardware:	i386
OS:	Linux
Priority:	low
Severity:	urgent
Target Milestone:	---
Assignee:	Miloslav Trmač
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-05-04 15:20 UTC by Louis Tang
Modified:	2008-10-22 21:21 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-10-22 21:21:16 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Louis Tang 2008-05-04 15:20:54 UTC

Description of problem:

User with blank password can change network configurations in Gnome GUI without 
asking for root's password 
This will happen even USERCTL=no in ifcfg file.

Version-Release number of selected component (if applicable):

Fedora 8

How reproducible:

To set the user with blank password, delete the password strings in shadow file.
then, startx, select administration, Network,
All network devices can be modified.

Steps to Reproduce:
1. delete the password string in shadow to set blank password for user.
2. startx
3. select Administration, all functions can be locked but Network !
  
Actual results:

User can get the full control of network devices even USERCTL=no in ifcfg files.

Expected results:

User should not control the network devices due to USERCTL=no

Additional info:

Comment 1 Harald Hoyer 2008-05-05 17:06:35 UTC

USERCTL=yes does only permit activation/deactivation... not modification

modification relies on consolehelper from usermode

Comment 2 Harald Hoyer 2008-05-05 17:07:19 UTC

$ ls -l /usr/bin/system-config-network
lrwxrwxrwx 1 root root 13 2008-04-27 14:09 /usr/bin/system-config-network ->
consolehelper

Comment 3 Louis Tang 2008-05-05 17:23:07 UTC

USERCTL=no also allows "blank password" user to activate / deactivate the 
network device in GUI mode.

Comment 4 Miloslav Trmač 2008-05-05 20:09:13 UTC

Thanks for your report.

This seems to be working fine for me.  Can you describe the steps more
precisely, please?
* Which application are you exactly starting?  What is the name in the menu?
  What is the window title?
* What exact action is allowed by "full control"?  What specific buttons/menu
  items can you use and what is the effect?
* Is there a root password set? Does (su -) require a password?
* Please attach the output of the following commands, when run from a terminal
  window in the same X session:
  - id -a
  - ls -l /usr/sbin/usernetctl
  - cat /etc/sysconfig/network-scripts/ifcfg-DEVICE, where DEVICE is the device
    you can manipulate but shouldn't be able to
  - cat /etc/pam.d/system-config-network
  - cat /etc/security/console.apps/system-config-network
  - cat /etc/security/console.apps/config-util

Comment 5 Christopher D. Stover 2008-10-22 21:21:16 UTC

The information we've requested above is required in order
to review this problem report further and diagnose or fix the
issue if it is still present.  Since it has been thirty days or
more since we first requested additional information, we're assuming
the problem is either no longer present in the current Fedora release, or
that there is no longer any interest in tracking the problem.

Setting status to "CLOSED: INSUFFICIENT_DATA".  If you still
experience this problem after updating to our latest Fedora
release and can provide the information previously requested,
please feel free to reopen the bug report.

Thank you in advance.

Note You need to log in before you can comment on or make changes to this bug.