tuanthng / pam-face-authentication

Automatically exported from code.google.com/p/pam-face-authentication
0 stars 0 forks source link

Security Flaw #73

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
qt-facetrainer can be run without sudo, I.E. if someone has access to your 
logged on user they can run it and delete your training and replace theirs and 
have sudo privileges on your computer.

Original issue reported on code.google.com by nolansyk...@gmail.com on 8 Dec 2010 at 11:26

GoogleCodeExporter commented 9 years ago
No, they cant. Sudo privelges require you to login as root and run 
qt-facetrainer.

Original comment by rohan.a...@gmail.com on 8 Dec 2010 at 11:28

GoogleCodeExporter commented 9 years ago

Original comment by rohan.a...@gmail.com on 8 Dec 2010 at 11:28

GoogleCodeExporter commented 9 years ago
I just restarted my computer, logged on to my user ran qt-facetrainer with no 
sudo it asked for not password and did not recognition and I was able to 
replace my face with my friends and give him sudo privileges on my computer

Original comment by nolansyk...@gmail.com on 8 Dec 2010 at 11:32

GoogleCodeExporter commented 9 years ago
I can't cope with the problem. Just imagine you do a login as your normal user, 
then start firefox and examine the saved passwords. You will also be able to 
see them without being superuser.

And in case of qt-facetrainer it's pretty much the same. There's no reason why 
a change of faces should require superior access. 

Original comment by feichtne...@gmail.com on 8 Dec 2010 at 12:40

GoogleCodeExporter commented 9 years ago
?!?!?!? no reason why a face change should require super user access? if the 
face change can be done as a normal user, that face change gives the normal 
user sudo privileges.

I.E. if you have this program installed anyone who sits down at this computer 
can just type in qt-facetrainer (no sudo required) and replace your face 
training and take full control of your computer. 

I am absolutely astonished that this has been marked invalid! This is 
absolutely confirmed!!!

Anyone can sit down at my computer right now and take it over when this program 
is installed, My god do I have to take a video of this and post the MAJOR 
security flaw on youtube to get you to believe me that it is real??

Original comment by nolansyk...@gmail.com on 8 Dec 2010 at 7:15

GoogleCodeExporter commented 9 years ago
Wait a minute!! that is you justification for this not being a flaw??? firefox 
will show people your saved passwords so it is all right if our program gives 
anyone sitting at your computer complete root access? 

Besides you can check the box in firefox to require a master password so it 
doesn't show the passwords. How do I make it so root password is required to 
run qt-facetrainer???

Original comment by nolansyk...@gmail.com on 8 Dec 2010 at 10:43

GoogleCodeExporter commented 9 years ago
If I was root, I wont leave my computer Unlocked. Period.

Original comment by rohan.a...@gmail.com on 9 Dec 2010 at 12:09

GoogleCodeExporter commented 9 years ago
I never log in as root I only use sudo.

Original comment by nolansyk...@gmail.com on 9 Dec 2010 at 12:44