On 7/3/20 1:57 PM, ToddAndMargo via users wrote:
On 2020-07-03 13:07, Samuel Sieb wrote:
> On 7/3/20 12:53 PM, ToddAndMargo via users wrote:
>> Oh of interest, Xfce Pol kit has a YUGE security hole that I
>> reported a while back that has yet to be addressed:
>>
>> xfce pol kit lets others sneak in
>>
https://github.com/ncopa/xfce-polkit/issues/5
>
> That's not a huge security hole and it doesn't let others sneak in
> unless they have access to your user for some reason. That's also
> standard behaviour for sudo.
So basically, if I enter the root password once into the
pol kit, the pol kit allows me to run as many more
root only commands as a stand user as I want for the
next two minutes.
How in the world is that not a security hole?
Why would it be? You just authenticated yourself. Why is it a problem
to let you stay authenticated for a few minutes? What do you think
could happen?