[Development] MaintenanceTool and/or InstallerFramework horribly insecure?

Kai Köhne Kai.Koehne at qt.io
Sat May 23 06:13:28 CEST 2020 

Hi Konrad,

thanks for the report. Volker forwarded it to the qt-project security mailing list. Feel free to send further security related issues there.

> When I call MaintenanceTool to install another version of Qt it wants to
sudo into root when it starts to download Qt components.  It still asks
for the sudo password if I quit while selecting components!

I assume you start a new installer here (not the MaintenanceTool of an existing installation). Is that really during the download, or in the extractio phase? Can you maybe create a bug report and attach the installation log (you can start the installer with --verbose)?

> Worse, if I normally have sudo set to NOPASSWD then it does not even ask, it just switches!

This is now tracked in https://bugreports.qt.io/browse/QTIFW-1794

> The temporary directory installerResources has access rights 0557. Other
> directories are group-writable.

There indeed seems to be an issue in the rights of some directories (though I personally don't have the 0557 rights). Whether this is an IFW or packaging bug needs to be investigated further.

Kai

________________________________________
From: Development <development-bounces at qt-project.org> on behalf of Konrad Rosenbaum <konrad at silmor.de>
Sent: Thursday, May 21, 2020 9:14 PM
To: development at qt-project.org
Subject: [Development] MaintenanceTool and/or InstallerFramework horribly       insecure?

Hi,


I thought what the heck, lets update the pre-compiled Qt components on
my computer. Apart from making me jump through the Qt Account hoop, I'm
not sure whether this is deliberate (nefariously or incompetently) or
just broken (please tell me it is a simple bug!):


OS: Linux, Debian (testing), amd64

Installation-Directory of Qt: $HOME/Qt of the user running MaintenanceTool

MaintenanceTool version: 3.2.2-0-202003121118


When I call MaintenanceTool to install another version of Qt it wants to
sudo into root when it starts to download Qt components. It still asks
for the sudo password if I quit while selecting components! Worse, if I
normally have sudo set to NOPASSWD then it does not even ask, it just
switches!

The temporary directory installerResources has access rights 0557. Other
directories are group-writable.


I view those as severe security issues:

 - the installer (actually no tool whatsoever) should switch to root
unless absolutely necessary, to prevent escalation of other security issues

 - no interactive tool should switch to root without informing the user

 - the installer must not make any directories or files writable for
anyone but the user running that tool - otherwise other users are able
to attack by inserting malicious code


I have the bad feeling that someone should perform a security audit on
MaintenanceTool and installer framework.



    Konrad

More information about the Development mailing list