[Bug 971580] New: polkit-default-privs.standard is too restrictive for FirewallD
http://bugzilla.suse.com/show_bug.cgi?id=971580 Bug ID: 971580 Summary: polkit-default-privs.standard is too restrictive for FirewallD Classification: openSUSE Product: openSUSE Tumbleweed Version: 2015* Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mchandras@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Hi, commit 930ad4431ef640a38523e26ff29918ba14089d23 [1] overrides the FirewallD polkit actions but the .standard variant is similar to .restrictive so FirewallD is locked down even on normal desktop operation. In my opinion this is probably a mistake. Would you consider mirroring the .standard file to the /usr/share/polkit-1/actions/org.fedoraproject.FirewallD1.desktop.policy as provided by firewalld? I can submit a PR myself but I would like to know why this decision was made (in bnc#907625) before I create one. [1] https://github.com/openSUSE/polkit-default-privs/commit/930ad4431ef640a38523... -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=971580
Marcus Meissner
http://bugzilla.suse.com/show_bug.cgi?id=971580
http://bugzilla.suse.com/show_bug.cgi?id=971580#c1
Marcus Meissner
http://bugzilla.suse.com/show_bug.cgi?id=971580
http://bugzilla.suse.com/show_bug.cgi?id=971580#c2
Sebastian Krahmer
http://bugzilla.suse.com/show_bug.cgi?id=971580
Sebastian Krahmer
http://bugzilla.suse.com/show_bug.cgi?id=971580
http://bugzilla.suse.com/show_bug.cgi?id=971580#c3
Markos Chandras
This was by intention. Accessing firewall rules may not be something for the average user. Whats wrong with entering admin credentials when doing so? Which rules in particular you want to have relaxed for .standard?
Hi Sebastian, If you compare the 'desktop' and 'server' polkit files as provided by the firewalld package you will see that they only differ in the *.info actions (eg org.fedoraproject.FirewallD1.policies.info). The desktop file is far more relaxed in allowing users to obtain the current configuration without authentication. Altering the configuration needs authentication of course. I can provide the diff between these two files if needed. This will affect desktop users using NetworkManager in the future (currently firewalld is disabled in our NM builds) because it means that whenever you edit or query a network connection for your user session you will have to gain extra privileges in order for NM to talk to firewalld via dbus obtain the zone for the network interface. I think this is not very user friendly for desktop environments. For what is worth, Fedora (I am mentioning Fedora because it's been using firewalld as default for a while) also uses the desktop polkit file in the workstation builds so querying the firewall as a user is allowed there. My understanding is that the restrictive file targets secure environments (servers, secured workstations etc) and the standard one targets home-based environments so the current behavior is probably not very user friendly for regular users. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=971580
Sebastian Krahmer
http://bugzilla.suse.com/show_bug.cgi?id=971580
http://bugzilla.suse.com/show_bug.cgi?id=971580#c6
--- Comment #6 from Sebastian Krahmer
http://bugzilla.suse.com/show_bug.cgi?id=971580
http://bugzilla.suse.com/show_bug.cgi?id=971580#c7
--- Comment #7 from Markos Chandras
Please find
https://github.com/openSUSE/polkit-default-privs/commit/ e1d4152682fd89d234070341798403d29a1e3949
That should work? New polkit-default-privs packages should not be necessary by now?
Yes that works. Thank you -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=971580
http://bugzilla.suse.com/show_bug.cgi?id=971580#c8
Sebastian Krahmer
participants (1)
-
bugzilla_noreply@novell.com