kdesudo+dolphin leads to command execution vulnerability

Since the other bug was marked as a dup of this, I'll note again that you can fix accidental manifestations of this problem (e.g. a folder called New Folder) by quoting the %u in d3lphin_su, but that won't stand up to deliberate attacks.

Right, as I noted in the original description various escaping of the argument in the .desktop file fixes it for some filenames but still breaks for other file names, and is defintiely open to intentional attacks. The real fix needs to be done in some more solid way...

I am thinking whether or not kdesu should just shell-escape its arguments. Kdesu should also have something similar to the GNU -- option to stop parsing for parameters and assume everything after -- is one large parameter. Is there any real usecase for kdesu taking in bourne shell syntax?

I think there is. I think this is a problem with d3lphin, not with kdesu. Kdesu should be able to run arbitrary command-lines, just like sudo can. The problem here is that d3lphin isn't doing proper escaping before passing to kdesu. It should quote the "%u" as well as escaping any instances of ' to \' and " to \".

The question is: Do we want kdesudo to treat a command like this:

kdesudo "konqueror ;dolphin"

as two commands, or rather treat is as a parameter to the first command, i.e. konqueror? Does the user *really* want to launch dolphin after konqueror, or does he rather want to open the folder called ";dolphin" with Konqueror?

So I wouldn't blame D3lphin yet. I can fix it so that it will prefix the "Run as root" command properly, but the implications of this bug go further than this.

Thank you for reporting this bug. If you insist that it is a KDE3 Dolphin's fault, please specify the wrong steps that KDE3 Dolphin takes. Thank you.

I think kdesu needs to operate exactly the same way as sudo. I now see that's not the case yet. Your example shows one of the problems.

Here is the output from sudo and kdesu:

sudo "konqueror; dolphin"
sudo: konqueror; dolphin: command not found

kdesu "konqueror; dolphin"

Launches konqueror, then dolphin after konqueror closes. This is a concrete problem that should be fixed in kdesu. However

kdesu should be made to interpret "konqueror; dolphin" (a quoted string) as a single command, the way sudo does.

kdesudo (1.3-0ubuntu1) hardy; urgency=low

  * New upstream release. Closes LP: #163417

 -- Anthony Mercatante <email address hidden> Mon, 19 Nov 2007 20:36:49 +0100

The bug shouldn't be closed, because this is still an issue in Gusty.

I don't think this bug should be marked as a security vulnerabulity because kdesudo asks for the admin password, and if you know it you can just use ALT+F2.

No. It is most certainly a security vulnerability.

(1) Opening a folder as root should NEVER EVER open the wrong folder, then execute a part of the folder name as a command under root.
(2) kdesudo will not prompt the user for a password (and hence allow the user to review the command) if the user has within the past 15 minutes opened something else as root.
(3) We should not assume, even if said dialog comes up, that the user has enough shell-code knowledge to identify an escape.

And kdesudo is the problem, not dolphin/d3lphin.

I agree with the above that this is not a dolphin defect