https://bugzilla.novell.com/show_bug.cgi?id=650401 https://bugzilla.novell.com/show_bug.cgi?id=650401#c1 Vincent Untz changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |vuntz@novell.com Component|GNOME |Basesystem AssignedTo|bnc-team-gnome@forge.provo. |lnussel@novell.com |novell.com | Summary|GNOME Power Manager: Wants |polkit-default-privs: g-p-m |root access to change |wants root access to change |laptop brightness |laptop brightness --- Comment #1 from Vincent Untz 2010-11-19 17:24:02 UTC --- That's really a bug in polkit-default-privs: # gnome-power-manager org.gnome.power.backlight-helper auth_admin It should not be auth_admin, but something like auth_admin:auth_admin:yes. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=650401 https://bugzilla.novell.com/show_bug.cgi?id=650401#c2 Gabriel Burt changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |gburt@novell.com --- Comment #2 from Gabriel Burt 2010-11-19 20:56:35 UTC --- I see this too, but I noticed the brightness changes anyway (before or even if I don't auth); I filed bug #655063 for that. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=650401 https://bugzilla.novell.com/show_bug.cgi?id=650401#c4 JP Rosevear changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |terje@nordland-teknikk.no --- Comment #4 from JP Rosevear 2010-12-31 21:44:23 UTC --- *** Bug 661488 has been marked as a duplicate of this bug. *** http://bugzilla.novell.com/show_bug.cgi?id=661488 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=650401 https://bugzilla.novell.com/show_bug.cgi?id=650401#c6 Herman Oosthuysen changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |herman@aeronetworks.ca --- Comment #6 from Herman Oosthuysen 2011-01-26 02:46:53 UTC --- I also see it and the same thing happens when you change the hard disk spin down time in the Gnome power savings mode with Gconf. It causes a pop-up at boot time. It is probably all related, so I don't want to open a new bug report for this one. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=650401 https://bugzilla.novell.com/show_bug.cgi?id=650401#c8 --- Comment #8 from Herman Oosthuysen 2011-01-26 07:27:16 UTC --- OK, here is my crude workaround. It may grant more privileges than an ordinary mortal may need. I created file /etc/polkit-default-privs.local: # # Note that you need to run /sbin/set_polkit_default_privs for # changes to take effect. # # Format: # <privilege> <any>:<inactive>:<active> # org.freedesktop.network-manager-settings.system.modify yes org.freedesktop.network-manager-settings.system.hostname.modify yes org.freedesktop.network-manager-settings.system.wifi.share.protected yes org.freedesktop.network-manager-settings.system.wifi.share.open yes org.freedesktop.NetworkManager.enable-disable-network yes org.freedesktop.NetworkManager.enable-disable-wifi yes org.freedesktop.NetworkManager.enable-disable-wwan yes org.freedesktop.NetworkManager.use-user-connections yes org.freedesktop.NetworkManager.network-control yes org.freedesktop.NetworkManager.sleep-wake yes org.freedesktop.hal.power-management.shutdown yes org.freedesktop.hal.power-management.shutdown-multiple-sessions yes org.freedesktop.hal.power-management.reboot yes org.freedesktop.hal.power-management.reboot-multiple-sessions yes org.freedesktop.hal.power-management.set-powersave yes org.freedesktop.hal.power-management.suspend yes org.freedesktop.hal.power-management.hibernate yes org.freedesktop.hal.power-management.standby yes org.freedesktop.hal.power-management.cpufreq yes org.freedesktop.hal.power-management.lcd-panel yes org.freedesktop.hal.power-management.light-sensor yes org.freedesktop.hal.power-management.keyboard-backlight yes org.freedesktop.hal.dockstation.undock yes org.freedesktop.hal.leds.brightness yes org.freedesktop.udisks.drive-set-spindown yes org.freedesktop.upower.suspend yes org.freedesktop.upower.hibernate yes -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=650401 https://bugzilla.novell.com/show_bug.cgi?id=650401#c10 --- Comment #10 from Ludwig Nussel 2011-01-26 13:42:30 CET --- why is the helper binary called via pkexec? That's just like setuid root. It would be better to have a dbus service instead. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=650401 https://bugzilla.novell.com/show_bug.cgi?id=650401#c12 --- Comment #12 from Ludwig Nussel 2011-01-26 14:50:11 CET --- (In reply to comment #11)

Note that /usr/share/polkit-1/actions/org.gnome.power.policy explicitly configures the policy to apply only to this binary with pkexec.

Sure. Calling the helper binary via pkexec with a default policy that allows it however is almost equivalent to making the helper setuid root itself. That's why I hesitate to set the privilege to 'yes' without real audit. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=650401 https://bugzilla.novell.com/show_bug.cgi?id=650401#c14 --- Comment #14 from Ludwig Nussel 2011-01-26 16:42:25 CET --- yes but that way it doesn't inherit the user's environment (env, fds, cwd, limits etc) iow less attack surface. Anyways, I've set the privilege to 'yes' for 11.4. The audit should be done nevertheless at some point. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=650401 https://bugzilla.novell.com/show_bug.cgi?id=650401#c16 --- Comment #16 from Vincent Untz 2011-02-17 09:57:44 UTC --- (In reply to comment #15)

From my view it would be OK to make gpm-backlight-helper and xfpm-backlight-helper accessable via pkexec. Its actually the same code which just writes some values to /sys files.

Does that mean we can close the bug? :-)

I am not happy that privilged programs are linked against a lot of Glib and dbus related libraries though.

Unfortunately, with polkit, this is not going to change; on the contrary, it'll be more frequent, I think. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.