[Bug 428963] New: y2controlcenter-gnome error message when starting yast apps
https://bugzilla.novell.com/show_bug.cgi?id=428963 Summary: y2controlcenter-gnome error message when starting yast apps Product: openSUSE 11.1 Version: Factory Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: YaST2 AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: michael.monreal@gmail.com QAContact: jsrain@novell.com Found By: --- Every time I start the GNOME yast shell or any yast applet, I get an error message complaining about TCP and/or NFS locks. See screenshot. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=428963
User michael.monreal@gmail.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c1
--- Comment #1 from Michael Monreal
https://bugzilla.novell.com/show_bug.cgi?id=428963
Christoph Thiel
https://bugzilla.novell.com/show_bug.cgi?id=428963
Duncan Mac-Vicar
https://bugzilla.novell.com/show_bug.cgi?id=428963
User rpmcruz@alunos.dcc.fc.up.pt added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c2
Ricardo Cruz
https://bugzilla.novell.com/show_bug.cgi?id=428963
User michael.monreal@gmail.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c3
Michael Monreal
https://bugzilla.novell.com/show_bug.cgi?id=428963
User rpmcruz@alunos.dcc.fc.up.pt added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c4
Ricardo Cruz
https://bugzilla.novell.com/show_bug.cgi?id=428963
User michael.monreal@gmail.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c5
Michael Monreal
https://bugzilla.novell.com/show_bug.cgi?id=428963
User rpmcruz@alunos.dcc.fc.up.pt added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c6
Ricardo Cruz
https://bugzilla.novell.com/show_bug.cgi?id=428963
User sreeves@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c7
Scott Reeves
https://bugzilla.novell.com/show_bug.cgi?id=428963
User sreeves@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c8
Scott Reeves
https://bugzilla.novell.com/show_bug.cgi?id=428963
User michael.monreal@gmail.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c9
--- Comment #9 from Michael Monreal
https://bugzilla.novell.com/show_bug.cgi?id=428963
Ricardo Cruz
https://bugzilla.novell.com/show_bug.cgi?id=428963
User sreeves@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c10
Scott Reeves
https://bugzilla.novell.com/show_bug.cgi?id=428963
User jmmarton@gmail.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c11
Joseph Marton
https://bugzilla.novell.com/show_bug.cgi?id=428963
User rpmcruz@alunos.dcc.fc.up.pt added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c12
Ricardo Cruz
https://bugzilla.novell.com/show_bug.cgi?id=428963
JP Rosevear
https://bugzilla.novell.com/show_bug.cgi?id=428963
User mmeeks@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c13
Michael Meeks
https://bugzilla.novell.com/show_bug.cgi?id=428963
User mmeeks@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c14
Michael Meeks
https://bugzilla.novell.com/show_bug.cgi?id=428963
User mmeeks@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c15
--- Comment #15 from Michael Meeks
https://bugzilla.novell.com/show_bug.cgi?id=428963
User mmeeks@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c16
--- Comment #16 from Michael Meeks
https://bugzilla.novell.com/show_bug.cgi?id=428963
User sreeves@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c17
Scott Reeves
https://bugzilla.novell.com/show_bug.cgi?id=428963
User hpj@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c18
--- Comment #18 from Hans Petter Jansson
https://bugzilla.novell.com/show_bug.cgi?id=428963
User hpj@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c19
--- Comment #19 from Hans Petter Jansson
https://bugzilla.novell.com/show_bug.cgi?id=428963
Hans Petter Jansson
https://bugzilla.novell.com/show_bug.cgi?id=428963
User mmeeks@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c20
Michael Meeks
https://bugzilla.novell.com/show_bug.cgi?id=428963
User erik.putrycz@nrc-cnrc.gc.ca added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c21
--- Comment #21 from Erik Putrycz
https://bugzilla.novell.com/show_bug.cgi?id=428963
User hpj@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c22
--- Comment #22 from Hans Petter Jansson
https://bugzilla.novell.com/show_bug.cgi?id=428963
User mmeeks@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c23
--- Comment #23 from Michael Meeks
https://bugzilla.novell.com/show_bug.cgi?id=428963
User hpj@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c24
--- Comment #24 from Hans Petter Jansson
https://bugzilla.novell.com/show_bug.cgi?id=428963
User hpj@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c25
--- Comment #25 from Hans Petter Jansson
https://bugzilla.novell.com/show_bug.cgi?id=428963
User hpj@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c26
--- Comment #26 from Hans Petter Jansson
https://bugzilla.novell.com/show_bug.cgi?id=428963
User jpr@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c27
JP Rosevear
https://bugzilla.novell.com/show_bug.cgi?id=428963
User thoenig@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c28
Timo Hoenig
https://bugzilla.novell.com/show_bug.cgi?id=428963
User rpmcruz@alunos.dcc.fc.up.pt added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c29
--- Comment #29 from Ricardo Cruz
https://bugzilla.novell.com/show_bug.cgi?id=428963
User behlert@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c30
Stefan Behlert
https://bugzilla.novell.com/show_bug.cgi?id=428963
User behlert@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c31
--- Comment #31 from Stefan Behlert
https://bugzilla.novell.com/show_bug.cgi?id=428963
Stefan Behlert
https://bugzilla.novell.com/show_bug.cgi?id=428963
User jpr@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c32
--- Comment #32 from JP Rosevear
https://bugzilla.novell.com/show_bug.cgi?id=428963
User thoenig@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c33
Timo Hoenig
https://bugzilla.novell.com/show_bug.cgi?id=428963
User thoenig@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c34
--- Comment #34 from Timo Hoenig
https://bugzilla.novell.com/show_bug.cgi?id=428963
User hpj@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c37
--- Comment #37 from Hans Petter Jansson
https://bugzilla.novell.com/show_bug.cgi?id=428963
User behlert@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c38
--- Comment #38 from Stefan Behlert
https://bugzilla.novell.com/show_bug.cgi?id=428963
User behlert@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c39
Stefan Behlert
https://bugzilla.novell.com/show_bug.cgi?id=428963
User thoenig@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c40
--- Comment #40 from Timo Hoenig
https://bugzilla.novell.com/show_bug.cgi?id=428963
User behlert@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c42
--- Comment #42 from Stefan Behlert
https://bugzilla.novell.com/show_bug.cgi?id=428963
User behlert@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c43
--- Comment #43 from Stefan Behlert
https://bugzilla.novell.com/show_bug.cgi?id=428963
User thoenig@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c44
--- Comment #44 from Timo Hoenig
https://bugzilla.novell.com/show_bug.cgi?id=428963
User mistinie@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c45
Mihnea Istinie
https://bugzilla.novell.com/show_bug.cgi?id=428963
User thoenig@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c46
--- Comment #46 from Timo Hoenig
https://bugzilla.novell.com/show_bug.cgi?id=428963
User behlert@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c47
Stefan Behlert
https://bugzilla.novell.com/show_bug.cgi?id=428963
User jpr@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c49
JP Rosevear
https://bugzilla.novell.com/show_bug.cgi?id=428963
User jpr@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c50
JP Rosevear
https://bugzilla.novell.com/show_bug.cgi?id=428963
User sreeves@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c51
Scott Reeves
https://bugzilla.novell.com/show_bug.cgi?id=428963
User lnussel@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c52
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=428963
User thoenig@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c53
--- Comment #53 from Timo Hoenig
the fix looks
a) wrong b) dangerous
wrong because why should root access a user's session bus? What does root want to call there? Could it be that this is by accident and some gui su program calls su instead of su - therefore preserving DBUS_SESSION_BUS_ADDRESS?
dangerous because libdbus will autolaunch a session bus if there is none. In that case there are dbus-launch processes hanging around that expose the necessary arguments to reconstruct the session bus address. Therefore any user can gain access to the session bus.
Right, I didn't think about autolaunched session buses. As all this worked before I suspect some change in gnomesu -- however, the following works for me: $ cat print-session.sh && gnomesu ./print-session.sh #/bin/sh echo $DBUS_SESSION_BUS_ADDRESS unix:abstract=/tmp/dbus-lM4AAX8FVx,guid=9082ee69f365677be77a6f8f49057de7 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=428963
User lnussel@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c54
--- Comment #54 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=428963
Stefan Behlert
https://bugzilla.novell.com/show_bug.cgi?id=428963
Stefan Behlert
https://bugzilla.novell.com/show_bug.cgi?id=428963
User jpr@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c55
--- Comment #55 from JP Rosevear
https://bugzilla.novell.com/show_bug.cgi?id=428963
User hpj@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c56
Hans Petter Jansson
https://bugzilla.novell.com/show_bug.cgi?id=428963
User thoenig@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c57
--- Comment #57 from Timo Hoenig
Re. wrong: User may want to run programs running as root in his session. We've had plenty of bugs on that previously.
We never had this reports for 11.0 or earlier. From my point of view I can assure there wasn't a change in D-Bus itself which would cause those *new* defects. We have to look somewhere else. The current patch for the session.conf hides the real problem. That is obviously not what we want. The real bug is, that the application launched via gnomesu is trying to access the session owner's session bus. The question is: Why does it want to access it? I'm in favor of un-setting DBUS_SESSION_BUS_ADDRESS on changing the user with gnomesu. By running anything which changes your identity (su $USER, gnomesu $APP, etc.) you're simply out of bounds of the current session.
Re. dangerous: I don't see how exactly this would happen. If dbus-launch exposes session auth details to everyone, wouldn't that be a bug in D-Bus?
IIRC this was being done on purpose. I'd have to dig in the list archives to find out more. But as we're currently hiding the real culprit with the patch for the session bus this doesn't matter anyway.
Like jpr, I also don't think this is a blocker. Lowering.
Judge it as you want, as soon as I drop the patch for the session bus from D-Bus -- which will happen for Beta 5 if there is no plausible rationale why this is the correct fix -- we're back at zero. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=428963
User mmeeks@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c58
--- Comment #58 from Michael Meeks
Therefore any user can gain access to the session bus.
That sounds non-obvious to me. AFAICS the session bus is configured to only allow the owner of the session bus daemon to connect to it. We make a special exception for root (only). So - how is this dangerous ? Of course - one can imagine that user doing bad things to the app over the session bus (potentially), but similarly one can imagine sending it unexpected X messages too, or doing odd things to it's root window, or simulating key-presses or ... Why is this any more dangerous than sharing the X connection ? connection auth is done by more than the shared cookie (surely) otherwise there would be no problem in the 1st instance :-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=428963
User thoenig@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c59
--- Comment #59 from Timo Hoenig
The thing that changed here seems to be that gconf is now using the session bus, and expects it to be there (for some reason), and if it is not moans verbosely.
I'd be interested to now the rationale behind "some reason".
We make a special exception for root (only). So - how is this dangerous ?
Could we please discuss this somewhere else? It just doesn't belong here. We have a *new* issues which are not related to policy. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=428963
User thoenig@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c60
--- Comment #60 from Timo Hoenig
https://bugzilla.novell.com/show_bug.cgi?id=428963
User hpj@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c61
--- Comment #61 from Hans Petter Jansson
(In reply to comment #56 from Hans Petter Jansson)
Re. wrong: User may want to run programs running as root in his session. We've had plenty of bugs on that previously.
We never had this reports for 11.0 or earlier. From my point of view I can assure there wasn't a change in D-Bus itself which would cause those *new* defects. We have to look somewhere else.
Well, we've had plenty of bugs on programs running as root in the user's session missing access to elements of said session, like the X display or the session manager.
The current patch for the session.conf hides the real problem. That is obviously not what we want.
The real bug is, that the application launched via gnomesu is trying to access the session owner's session bus.
The question is: Why does it want to access it?
The session bus is an important IPC mechanism for programs in the session. We can't predict all the ways in which it will be used (it looks like in this particular case it's being used to access the user's configuration database).
I'm in favor of un-setting DBUS_SESSION_BUS_ADDRESS on changing the user with gnomesu. By running anything which changes your identity (su $USER, gnomesu $APP, etc.) you're simply out of bounds of the current session.
It's not that clear-cut. The user needs to run programs as root on its current display, and the display is part of the session. The programs also need to talk to the session manager, e.g. so they can be told to quit when the session closes. There are other requirements, and I think the move to D-Bus as the session IPC mechanism (away from mechanisms like X display properties) will continue. The ideal fix here would be to adopt a security model that doesn't require you to become a different user in order to accomplish vital tasks - I'd be the first to admit that the "root" security model is broken - but insofar as we have to work within such a security model, we have to take a pragmatic approach.
Re. dangerous: I don't see how exactly this would happen. If dbus-launch exposes session auth details to everyone, wouldn't that be a bug in D-Bus?
IIRC this was being done on purpose. I'd have to dig in the list archives to find out more.
So wouldn't that mean that you can already hijack anyone's session bus? That doesn't stand to reason in my mind. I'm fairly certain a user's session bus is supposed to be secure from other users on the host :) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=428963
User thoenig@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c62
--- Comment #62 from Timo Hoenig
The question is: Why does it want to access it?
The session bus is an important IPC mechanism for programs in the session We can't predict all the ways in which it will be used (it looks like in this particular case it's being used to access the user's configuration database).
This is still *way* to unclear. Looks like I'll sit down and have a tête-à-tête with the gconf code tomorrow morning. Before I do so -- do we agree on fixing gconf in case it uses libdbus for something which isn't required? Otherwise I'll skip that involuntary task.
By running anything which changes your identity (su $USER, gnomesu $APP, etc.) you're simply out of bounds of the current session.
It's not that clear-cut. The user needs to run programs as root on its current display, and the display is part of the session. The programs also need to talk to the session manager, e.g. so they can be told to quit when the session closes. There are other requirements, and I think the move to D-Bus as the session IPC mechanism (away from mechanisms like X display properties) will continue.
We're leaving ground -- it's a definition depending on each individuals point of few. In my opinion the session bus is part of the session and I have yet to see the *functional* requirement that another session needs to access it. Even if it is the very same user. Note: I use the wording 'session' calling 'su' is starting a new one from my point of view.
The ideal fix here would be to adopt a security model that doesn't require you to become a different user in order to accomplish vital tasks
I didn't think that I'd write something like this today in this discussion. But here it is: I completely agree.
- I'd be the first to admit that the "root" security model is broken - but insofar as we have to work within such a security model, we have to take a pragmatic approach.
Well, we have PolicyKit in place. It seems that it isn't used in our case -- we fail.
Re. dangerous: I don't see how exactly this would happen. If dbus-launch exposes session auth details to everyone, wouldn't that be a bug in D-Bus?
IIRC this was being done on purpose. I'd have to dig in the list archives to find out more.
So wouldn't that mean that you can already hijack anyone's session bus? That doesn't stand to reason in my mind. I'm fairly certain a user's session bus is supposed to be secure from other users on the host :)
No. Because knowing DBUS_SESSION_BUS_ADDRESS isn't enough. The session policy forbids another user to connect to it -- and that is, what has been loosen with your patch. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=428963
User thoenig@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c63
--- Comment #63 from Timo Hoenig
https://bugzilla.novell.com/show_bug.cgi?id=428963
User mmeeks@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c64
--- Comment #64 from Michael Meeks
Re. dangerous: I don't see how exactly this would happen.
nor me.
So wouldn't that mean that you can already hijack anyone's session bus? That doesn't stand to reason in my mind. I'm fairly certain a user's session bus is supposed to be secure from other users on the host :)
No. Because knowing DBUS_SESSION_BUS_ADDRESS isn't enough. The session policy forbids another user to connect to it -- and that is, what has been loosen with your patch.
Well - unless I'm mistaken we didn't commit the (frankly silly) <allow user="*" /> but we added the <allow user="root"/> - at least I hope we did. The latter allows *only* something that could easily happen anyway, and is inside the privilege envelope of the root account anyway. ie. if Root -really- wants to connect to a user's session bus, our advisory security can only stop him so far: he can just gdb to the session bus, tweak the setting & try again if necessary. ie. AFAICS <allow user="root"/> adds -no- new security hole - beyond this: that applications running as root -might- get a malformed D-BUS message from the session-bus (ie. the user), and -might- then do something bad. Since the user clearly knows the root password anyway - this is something we have to just live with. So - again; where is the security problem ? I really, really don't see it. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=428963
User thoenig@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c65
--- Comment #65 from Timo Hoenig
Well - unless I'm mistaken we didn't commit the (frankly silly) <allow user="*" /> but we added the <allow user="root"/> - at least I hope we did.
Yes.
The latter allows *only* something that could easily happen anyway, and is inside the privilege envelope of the root account anyway. ie. if Root -really- wants to connect to a user's session bus, our advisory security can only stop him so far: he can just gdb to the session bus, tweak the setting & try again if necessary.
ie. AFAICS <allow user="root"/> adds -no- new security hole - beyond this: that applications running as root -might- get a malformed D-BUS message from the session-bus (ie. the user), and -might- then do something bad. Since the user clearly knows the root password anyway - this is something we have to just live with.
So - again; where is the security problem ? I really, really don't see it.
___I'm not discussing the security or policy issues.___ I've mentioned it before (c.f. comment #59). Anyway, I'm currently working on finding a fix for the root cause. First findings: As expected, we're hiding the real issue with the session bus patch. - y2cc-g runs as root (gnomsu via slab) - y2controlcenter-gnome accesses gconf -- fine. - it is accessing gconf keys (e.g. /desktop/gnome/applications/main-menu/upgrade_package_command) -- routed to the session owners gconf instance - bang Imagine you're doing this twice - First run starting from session owned by Alice - Second run starting from session owned by Bob Depending on $HOME/.gconf/* of Alice and Bob you'll get different results for the gconf key. Not really what I'd be expecting if I run something as root. Let me know if I'm missing something -- I'm still working on this by sense of duty -- not profession; unfamiliar fields for someone who's not an gconf/y2cc-g/g* expert. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=428963
User lnussel@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c66
--- Comment #66 from Ludwig Nussel
Well - unless I'm mistaken we didn't commit the (frankly silly) <allow user="*" /> but we added the <allow user="root"/> - at least I hope we did.
There's no real immediate security problem then. As Timo pointed having root access the session dbus may have unexpected side effects though. gnomesu really should clean the environment and only pass selected variables through, just like su -. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=428963
User thoenig@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c67
--- Comment #67 from Timo Hoenig
https://bugzilla.novell.com/show_bug.cgi?id=428963
User mmeeks@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c69
--- Comment #69 from Michael Meeks
https://bugzilla.novell.com/show_bug.cgi?id=428963
User jpr@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c70
JP Rosevear
https://bugzilla.novell.com/show_bug.cgi?id=428963
User thoenig@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c71
--- Comment #71 from Timo Hoenig
https://bugzilla.novell.com/show_bug.cgi?id=428963
User thoenig@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c72
--- Comment #72 from Timo Hoenig
https://bugzilla.novell.com/show_bug.cgi?id=428963
User vuntz@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c73
--- Comment #73 from Vincent Untz
https://bugzilla.novell.com/show_bug.cgi?id=428963
User thoenig@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c74
--- Comment #74 from Timo Hoenig
This might have some interesting side-effects for the look and feel...
Please elaborate on this. I have seen zero difference compared to the previous workaround. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=428963
User vuntz@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c75
--- Comment #75 from Vincent Untz
https://bugzilla.novell.com/show_bug.cgi?id=428963
User thoenig@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c76
--- Comment #76 from Timo Hoenig
Because the patch only hides the error, and it doesn't change the behavior.
It doesn't hide anything. Did you understand the patch? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=428963
User vuntz@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c77
--- Comment #77 from Vincent Untz
(In reply to comment #75 from Vincent Untz)
Because the patch only hides the error, and it doesn't change the behavior.
It doesn't hide anything. Did you understand the patch?
Hrm, my bad. My second test still had the dbus-1 change, so I was not seeing gconfd running as root. Doing too many things at once. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=428963
User taril_laszlo@yahoo.co.uk added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c78
--- Comment #78 from Laszlo Tari
https://bugzilla.novell.com/show_bug.cgi?id=428963
User thoenig@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c79
--- Comment #79 from Timo Hoenig
https://bugzilla.novell.com/show_bug.cgi?id=428963
User taril_laszlo@yahoo.co.uk added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c80
--- Comment #80 from Laszlo Tari
https://bugzilla.novell.com/show_bug.cgi?id=428963
User vuntz@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c81
--- Comment #81 from Vincent Untz
https://bugzilla.novell.com/show_bug.cgi?id=428963
User thoenig@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c82
--- Comment #82 from Timo Hoenig
https://bugzilla.novell.com/show_bug.cgi?id=428963
User thoenig@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c83
Timo Hoenig
https://bugzilla.novell.com/show_bug.cgi?id=428963
User behlert@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c84
Stefan Behlert
https://bugzilla.novell.com/show_bug.cgi?id=428963
User jpr@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c85
JP Rosevear
https://bugzilla.novell.com/show_bug.cgi?id=428963
User jpr@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c86
--- Comment #86 from JP Rosevear
Let's go with 3). This should affect only the control-center and the slab. And it should be doable until Friday
Not sure about this - gnomesu is triggered by X-KDE-SubstituteUID=true, so gnome-cc and main-menu is the wrong spot to fix this. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=428963
User thoenig@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c87
--- Comment #87 from Timo Hoenig
https://bugzilla.novell.com/show_bug.cgi?id=428963
User vuntz@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c88
--- Comment #88 from Vincent Untz
https://bugzilla.novell.com/show_bug.cgi?id=428963
User thoenig@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c89
--- Comment #89 from Timo Hoenig
https://bugzilla.novell.com/show_bug.cgi?id=428963
User behlert@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c90
Stefan Behlert
https://bugzilla.novell.com/show_bug.cgi?id=428963
User jpr@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c91
--- Comment #91 from JP Rosevear
https://bugzilla.novell.com/show_bug.cgi?id=428963
User lnussel@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c92
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=428963
User thoenig@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c93
--- Comment #93 from Timo Hoenig
https://bugzilla.novell.com/show_bug.cgi?id=428963
User jpr@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c95
JP Rosevear
https://bugzilla.novell.com/show_bug.cgi?id=428963
User taril_laszlo@yahoo.co.uk added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c96
--- Comment #96 from Laszlo Tari
https://bugzilla.novell.com/show_bug.cgi?id=428963
User vuntz@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c97
Vincent Untz
Here it goes:
(6) let gnomesu unset DBUS_SESSION_BUS_ADDRESS
Done, submitted to oS:F (#3534). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=428963
User thoenig@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c98
--- Comment #98 from Timo Hoenig
https://bugzilla.novell.com/show_bug.cgi?id=428963
User vuntz@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c99
Vincent Untz
https://bugzilla.novell.com/show_bug.cgi?id=428963
User aorlovskyy@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c100
Alexander Orlovskyy
https://bugzilla.novell.com/show_bug.cgi?id=428963
User mrashmiranjan@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c101
Rashmi Ranjan Mohanty
https://bugzilla.novell.com/show_bug.cgi?id=428963
User vuntz@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c102
--- Comment #102 from Vincent Untz
Vincent, is this issue completely resolved ? (I can't mark NEEDINFO on a closed bug. So consider this as NEEDINFO)
In SLED11-RC1 as well as openSuSE 11.1, when I login as a normal user, open a terminal, do su (no '-') and open yast2, I still get the error. However if I do 'su -', then I dont get any error on opening yast2. Also no error while opening yast2 from menu.
That's expected: "su" will get the error but not "su -". "su" doesn't clear the environment variables. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=428963
User vuntz@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c103
Vincent Untz
https://bugzilla.novell.com/show_bug.cgi?id=428963
User sbahling@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c104
Scott Bahling
participants (1)
-
bugzilla_noreply@novell.com