[Development] MaintenanceTool and/or InstallerFramework horribly insecure?
Konrad Rosenbaum
konrad at silmor.de
Thu May 21 21:14:57 CEST 2020
Hi,
I thought what the heck, lets update the pre-compiled Qt components on
my computer. Apart from making me jump through the Qt Account hoop, I'm
not sure whether this is deliberate (nefariously or incompetently) or
just broken (please tell me it is a simple bug!):
OS: Linux, Debian (testing), amd64
Installation-Directory of Qt: $HOME/Qt of the user running MaintenanceTool
MaintenanceTool version: 3.2.2-0-202003121118
When I call MaintenanceTool to install another version of Qt it wants to
sudo into root when it starts to download Qt components. It still asks
for the sudo password if I quit while selecting components! Worse, if I
normally have sudo set to NOPASSWD then it does not even ask, it just
switches!
The temporary directory installerResources has access rights 0557. Other
directories are group-writable.
I view those as severe security issues:
- the installer (actually no tool whatsoever) should switch to root
unless absolutely necessary, to prevent escalation of other security issues
- no interactive tool should switch to root without informing the user
- the installer must not make any directories or files writable for
anyone but the user running that tool - otherwise other users are able
to attack by inserting malicious code
I have the bad feeling that someone should perform a security audit on
MaintenanceTool and installer framework.
Konrad
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.qt-project.org/pipermail/development/attachments/20200521/19faf1e5/attachment.sig>
More information about the Development
mailing list