Open eribertomota opened 9 years ago
This has been raised in the mailing list here and is being discussed.
I am not sure there is any easy way around this but I am not one of the developers just a small contributor. Hopefully a way can be found to keep it in.
Thanks for your reply Stuart.
I will wait for a decision. No matter what the circunstances, if no solution for Debian and if you want, I can join to the team to provide .deb packages. However, I hope that the developers find a solution for this relevant project still integrating Debian.
Regards,
Eriberto
2015-10-11 18:55 GMT-03:00 stuartmarsden notifications@github.com:
This has been raised in the mailing list here http://pf.itd.nrl.navy.mil/pipermail/core-users/2015-October/001871.html and is being discussed.
I am not sure there is any easy way around this but I am not one of the developers just a small contributor. Hopefully a way can be found to keep it in.
— Reply to this email directly or view it on GitHub https://github.com/coreemu/core/issues/75#issuecomment-147249563.
The GUI loophole is a byproduct of using vcmd, which provides root access within nodes. If vcmd was locked down to only be ran by sudo, would that solve this problem?
Em qua, 5 de jun de 2019 às 17:59, bharnden notifications@github.com escreveu:
The GUI loophole is a byproduct of using vcmd, which provides root access within nodes. If vcmd was locked down to only be ran by sudo, would that solve this problem?
Hi @bharnden,
Thanks for your help. No, it don't solve the issue because a student will can access the main system in a university.
Regards,
Eriberto
You realise that OpenVPN has exactly the same issue ..
Has any work or investigation for this been done since the issue was created? I tried a couple links to email threads while trying to understand the history or if there were short-term patches that could be applied, but a good chunk of the links don't appear to be working after 7 years.
On a side note, this is a serious enough security problem that CORE maintainers may want to recharacterize this as a bug rather than an enhancement.
Hi,
I am the Debian maintainer of CORE. Recently, a bug opened[1] in Debian told us about a privilege escalation via core-gui.
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=799756
This issue will cause the CORE removal from Debian in some days[2].
[2] https://udd.debian.org/cgi-bin/autoremovals.cgi
To break the removal, I need upload a fix. It can be a patch or a new version. So, I would like to ask: is there a solution for this issue?
Thanks a lot in advance.
Regards,
Eriberto