[Bug 650401] New: GNOME Power Manager: Wants root access to change laptop brightness
https://bugzilla.novell.com/show_bug.cgi?id=650401 https://bugzilla.novell.com/show_bug.cgi?id=650401#c0 Summary: GNOME Power Manager: Wants root access to change laptop brightness Classification: openSUSE Product: openSUSE 11.4 Version: Factory Platform: x86-64 OS/Version: SuSE Other Status: NEW Severity: Normal Priority: P5 - None Component: GNOME AssignedTo: bnc-team-gnome@forge.provo.novell.com ReportedBy: r.seete@gmail.com QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit/534.7+ (KHTML, like Gecko) Version/5.0 Safari/534.7+ SUSE/11.4 (2.30.6-4.1) Epiphany/2.30.6 GNOME opens an authentication window for an action that should not require root access (changing brightness on a laptop). Reproducible: Always Steps to Reproduce: 1. Log in to GNOME desktop 2. Attempt to change laptop screen brightness 3. Actual Results: Brightness changes, but a window opens claiming: "Authentication is required to modify the laptop brightness" Command: /usr/sbin/gnome-power-backlight-helper --set-brightness xx Run As: Super User (root) Action: org.gnome.power.backlight-helper Vendor: GNOME Power Manager Expected Results: Change brightness without invoking a policykit authentication window. In an install of M2 (updated to recent factory) the window is persistent. Using a recent GNOME Live CD (build 826), the window quickly flashes on screen and then closes. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=650401
https://bugzilla.novell.com/show_bug.cgi?id=650401#c1
Vincent Untz
https://bugzilla.novell.com/show_bug.cgi?id=650401
https://bugzilla.novell.com/show_bug.cgi?id=650401#c
Gabriel Burt
https://bugzilla.novell.com/show_bug.cgi?id=650401
https://bugzilla.novell.com/show_bug.cgi?id=650401#c2
Gabriel Burt
https://bugzilla.novell.com/show_bug.cgi?id=650401
https://bugzilla.novell.com/show_bug.cgi?id=650401#c3
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=650401
https://bugzilla.novell.com/show_bug.cgi?id=650401#c4
JP Rosevear
https://bugzilla.novell.com/show_bug.cgi?id=650401
https://bugzilla.novell.com/show_bug.cgi?id=650401#c5
--- Comment #5 from JP Rosevear
https://bugzilla.novell.com/show_bug.cgi?id=650401
https://bugzilla.novell.com/show_bug.cgi?id=650401#c6
Herman Oosthuysen
https://bugzilla.novell.com/show_bug.cgi?id=650401
https://bugzilla.novell.com/show_bug.cgi?id=650401#c7
--- Comment #7 from Herman Oosthuysen
I also see it and the same thing happens when you change the hard disk spin down time in the Gnome power savings mode with Gconf. It causes a pop-up at boot time. It is probably all related, so I don't want to open a new bug report for this one.
Bah - I also get two more pop-ups when I try to connect to a WiFi access point with the network manager thingy. This is a really annoying user experience. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=650401
https://bugzilla.novell.com/show_bug.cgi?id=650401#c8
--- Comment #8 from Herman Oosthuysen
https://bugzilla.novell.com/show_bug.cgi?id=650401
https://bugzilla.novell.com/show_bug.cgi?id=650401#c9
--- Comment #9 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=650401
https://bugzilla.novell.com/show_bug.cgi?id=650401#c10
--- Comment #10 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=650401
https://bugzilla.novell.com/show_bug.cgi?id=650401#c11
--- Comment #11 from Vincent Untz
why is the helper binary called via pkexec? That's just like setuid root. It would be better to have a dbus service instead.
Asking upstream: it was mostly to avoid some unneeded overhead. Note that /usr/share/polkit-1/actions/org.gnome.power.policy explicitly configures the policy to apply only to this binary with pkexec. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=650401
https://bugzilla.novell.com/show_bug.cgi?id=650401#c12
--- Comment #12 from Ludwig Nussel
Note that /usr/share/polkit-1/actions/org.gnome.power.policy explicitly configures the policy to apply only to this binary with pkexec.
Sure. Calling the helper binary via pkexec with a default policy that allows it however is almost equivalent to making the helper setuid root itself. That's why I hesitate to set the privilege to 'yes' without real audit. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=650401
https://bugzilla.novell.com/show_bug.cgi?id=650401#c13
--- Comment #13 from Vincent Untz
https://bugzilla.novell.com/show_bug.cgi?id=650401
https://bugzilla.novell.com/show_bug.cgi?id=650401#c14
--- Comment #14 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=650401
https://bugzilla.novell.com/show_bug.cgi?id=650401#c15
--- Comment #15 from Sebastian Krahmer
From my view it would be OK to make gpm-backlight-helper and xfpm-backlight-helper accessable via pkexec. Its actually the same code which just writes some values to /sys files. I am not happy that privilged programs are linked against a lot of Glib and dbus related libraries though.
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=650401
https://bugzilla.novell.com/show_bug.cgi?id=650401#c16
--- Comment #16 from Vincent Untz
From my view it would be OK to make gpm-backlight-helper and xfpm-backlight-helper accessable via pkexec. Its actually the same code which just writes some values to /sys files.
Does that mean we can close the bug? :-)
I am not happy that privilged programs are linked against a lot of Glib and dbus related libraries though.
Unfortunately, with polkit, this is not going to change; on the contrary, it'll be more frequent, I think. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=650401
https://bugzilla.novell.com/show_bug.cgi?id=650401#c17
Rainer Hurtado Navarro
participants (1)
-
bugzilla_noreply@novell.com