COMMAND

    KDE

SYSTEMS AFFECTED

    Linux running KDE 3 beta (others?)

PROBLEM

    Tudor Bosman found following.  When using shadow passwords, the  K
    Desktop Environment screen  savers require to  be setuid root  (in
    order  to  access  /etc/shadow).   However,  they  never drop root
    privileges.  When starting, they create the file .kss.pid in the
    home directory as root, following symbolic links.  And

        ln -s /etc/shadow ~/.kss.pid

    will cause /etc/shadow to be overwritten.

SOLUTION

    A short patch:

    diff -c kscreensaver.orig/main.cpp kscreensaver/main.cpp
    *** kscreensaver.orig/main.cpp  Fri Feb  6 19:23:07 1998
    --- kscreensaver/main.cpp       Fri Feb  6 19:30:13 1998
    ***************
    *** 289,294 ****
    --- 289,298 ----

            initPasswd();

    +       // this makes use of the POSIX saved UIDs feature, available
    +       // in current Linux versions -- tudorb@caltech.edu
    +       setuid (getuid ());
    +
            if ( mode == MODE_INSTALL )
            {
             if (!canGetPasswd) {