https://bugzilla.novell.com/show_bug.cgi?id=825262 https://bugzilla.novell.com/show_bug.cgi?id=825262#c Marcus Meissner changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com Summary|Security Review requested |AUDIT-0: nepomuk: Security |due to |Review requested due to |suse-dbus-unauthorized-serv |suse-dbus-unauthorized-serv |ice, |ice, |polkit-untracked-privilege |polkit-untracked-privilege |and |and |polkit-cant-acquire-privile |polkit-cant-acquire-privile |ge |ge -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=825262 https://bugzilla.novell.com/show_bug.cgi?id=825262#c2 Marcus Meissner changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P3 - Medium |P2 - High Severity|Minor |Major --- Comment #2 from Marcus Meissner 2013-06-21 01:31:30 UTC --- dbus service review blocks kde submission, so raise priority (i think minor was not intended) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=825262 https://bugzilla.novell.com/show_bug.cgi?id=825262#c4 --- Comment #4 from Raymond Wooninck 2013-06-27 10:50:11 UTC --- At this moment the review of nepomuk-core and kdebase4-workspace are holding back the submission of KDE 4.11 Beta 1 (and future releases) to Factory. Due to this we wouldn't really be able to fix any KDE issues in Factory either as that the development repository has already been switched to KDE 4.11 Beta 1. By the end of this week, we will upload Beta 2 into the development repository. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=825262 https://bugzilla.novell.com/show_bug.cgi?id=825262#c6 --- Comment #6 from Marcus Meissner 2013-07-03 16:19:49 UTC --- our main auditor (Sebastian) has different duties this month and also vacation. :/ I will see what we can do -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=825262 https://bugzilla.novell.com/show_bug.cgi?id=825262#c8 --- Comment #8 from Thomas Biege 2013-07-04 09:09:11 CEST --- (In reply to comment #5)

Any update on this bug request ? As indicated we have Beta 2 now in KDF, but still not able to submit it to Factory.

Just go ahead, green light from us at the moment. We will review it and if it causes trouble we will let you know. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=825262 https://bugzilla.novell.com/show_bug.cgi?id=825262#c9 --- Comment #9 from Marcus Meissner 2013-07-04 07:39:32 UTC --- (temporary whitelisted in rpmlint/config) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=825262 https://bugzilla.novell.com/show_bug.cgi?id=825262#c11 --- Comment #11 from Alexander Bergmann 2013-07-08 16:18:52 UTC --- We have two parts here that need to be evaluated. 1. New dbus service "org.kde.nepomuk.filewatch". 2. New PolicyKit rule "org.kde.nepomuk.filewatch.raiselimit" 1. A new dbus system service is introduced with nepomuk-core. This system service allows the execution of kde_nepomuk_filewatch_raiselimit that is also part of nepomuk-core. Inside the FileWatchHelper::raiselimit function inside raiselimit.cpp it doubles the value in /proc/sys/fs/inotify/max_user_watches and sets/replaces this value in /etc/sysctl.d/97-kde-nepomuk-filewatch-inotify.conf to be reboot persistent. 2. The PolicyKit is used to have an upstruction layer between the user session and the FileWatchHelper::raiselimit function. An unprivileged user account can therefore gain the privilege to raise the max_user_watches for the system. For this the user has to authenticate as admin (root). org.kde.nepomuk.filewatch.raiselimit no:no:auth_admin_keep All functions are programmed straight forward. So there is no security impact. Therefore the changes in polkit-default-privs and rpmlint can be marked as valid and can be set permanently. polkit-default-privs.changes: - track nepomuk rights (bnc#825262) rpmlint.changes: - allow nepomuk helpers temporary without full audit (bnc#825262) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=825262 https://bugzilla.novell.com/show_bug.cgi?id=825262#c13 Marcus Meissner changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #13 from Marcus Meissner 2013-11-05 09:23:53 UTC --- done i think -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.