|
|
|
klaptopdaemon and SUID permissions
|
|
|
|
----------------------------------
|
|
|
|
|
|
|
|
To allow ordinary users to control certain power management features,
|
|
|
|
klaptopdaemon's panel in the Trinity Control Center has a button which prompts
|
|
|
|
the user to enter the root password (Trinity Control Center --> Power Control
|
|
|
|
--> Laptop Battery, then the ACPI Config tab, then the Setup Helper
|
|
|
|
Application button). This button changes the permissions of
|
|
|
|
/usr/bin/klaptop_acpi_helper from "0755 root.root" to "6755 root.root",
|
|
|
|
and therefore grants all regular users extra power management abilities.
|
|
|
|
This has obvious security implications, and should not be done on any
|
|
|
|
system where all users are not trusted absolutely.
|
|
|
|
|
|
|
|
The standard klaptopdaemon changes the binary's permissions using chmod.
|
|
|
|
However, if an updated version of the Debian klaptopdaemon package
|
|
|
|
were then to be installed, it would reset the permissions, forcing the
|
|
|
|
sysadmin to reconfigure after each upgrade.
|
|
|
|
|
|
|
|
The Debian package has therefore been patched to use dpkg-statoverride to
|
|
|
|
permanently change the permissions of /usr/bin/klaptop_acpi_helper. The
|
|
|
|
override is removed and permissions reset if the package is removed or
|
|
|
|
purged. However, if the sysadmin wishes to remove the special permissions
|
|
|
|
of /usr/bin/klaptop_acpi_helper, they can do so at any time by issuing,
|
|
|
|
as root, the following commands:
|
|
|
|
|
|
|
|
dpkg-statoverride --remove /usr/bin/klaptop_acpi_helper
|
|
|
|
chown root:root /usr/bin/klaptop_acpi_helper
|
|
|
|
chmod 0755 /usr/bin/klaptop_acpi_helper
|