You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
29 lines
1.5 KiB
29 lines
1.5 KiB
5 years ago
|
klaptopdaemon and SUID permissions
|
||
|
----------------------------------
|
||
|
|
||
|
To allow ordinary users to control certain power management features,
|
||
|
klaptopdaemon's panel in the Trinity Control Center has a button which prompts
|
||
|
the user to enter the root password (Trinity Control Center --> Power Control
|
||
|
--> Laptop Battery, then the ACPI Config tab, then the Setup Helper
|
||
|
Application button). This button changes the permissions of
|
||
|
/usr/bin/klaptop_acpi_helper from "0755 root.root" to "6755 root.root",
|
||
|
and therefore grants all regular users extra power management abilities.
|
||
|
This has obvious security implications, and should not be done on any
|
||
|
system where all users are not trusted absolutely.
|
||
|
|
||
|
The standard klaptopdaemon changes the binary's permissions using chmod.
|
||
|
However, if an updated version of the Debian klaptopdaemon package
|
||
|
were then to be installed, it would reset the permissions, forcing the
|
||
|
sysadmin to reconfigure after each upgrade.
|
||
|
|
||
|
The Debian package has therefore been patched to use dpkg-statoverride to
|
||
|
permanently change the permissions of /usr/bin/klaptop_acpi_helper. The
|
||
|
override is removed and permissions reset if the package is removed or
|
||
|
purged. However, if the sysadmin wishes to remove the special permissions
|
||
|
of /usr/bin/klaptop_acpi_helper, they can do so at any time by issuing,
|
||
|
as root, the following commands:
|
||
|
|
||
|
dpkg-statoverride --remove /usr/bin/klaptop_acpi_helper
|
||
|
chown root:root /usr/bin/klaptop_acpi_helper
|
||
|
chmod 0755 /usr/bin/klaptop_acpi_helper
|