https://bugzilla.novell.com/show_bug.cgi?id=783897 https://bugzilla.novell.com/show_bug.cgi?id=783897#c0 Summary: new polkit rules in systemd 194 Classification: openSUSE Product: openSUSE Factory Version: 12.3 Milestone 0 Platform: Other OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: Basesystem AssignedTo: security-team@suse.de ReportedBy: fcrozat@suse.com QAContact: qa-bugs@suse.de Found By: --- Blocker: --- upcoming systemd 194 (available in openSUSE:Factory:Staging:Systemd / systemd) has new polkit rules which need secteam clearance : systemd.x86_64: I: polkit-untracked-privilege org.freedesktop.timedate1.set-ntp (auth_admin_keep:auth_admin_keep:auth_admin_keep) systemd.x86_64: I: polkit-untracked-privilege org.freedesktop.locale1.set-keyboard (auth_admin_keep:auth_admin_keep:auth_admin_keep) systemd.x86_64: I: polkit-untracked-privilege org.freedesktop.login1.power-off-ignore-inhibit (auth_admin_keep:auth_admin_keep:auth_admin_keep) systemd.x86_64: I: polkit-untracked-privilege org.freedesktop.login1.reboot-ignore-inhibit (auth_admin_keep:auth_admin_keep:auth_admin_keep) systemd.x86_64: I: polkit-untracked-privilege org.freedesktop.login1.suspend-ignore-inhibit (auth_admin_keep:auth_admin_keep:auth_admin_keep) systemd.x86_64: I: polkit-untracked-privilege org.freedesktop.login1.hibernate-multiple-sessions (auth_admin_keep:auth_admin_keep:auth_admin_keep) systemd.x86_64: I: polkit-untracked-privilege org.freedesktop.login1.hibernate-ignore-inhibit (auth_admin_keep:auth_admin_keep:auth_admin_keep) The privilege is not listed in /etc/polkit-default-privs.* which makes it harder for admins to find. If the package is intended for inclusion in any SUSE product please open a bug report to request review of the package by the security team systemd.x86_64: E: polkit-unauthorized-privilege (Badness: 10000) org.freedesktop.login1.inhibit-block-shutdown (no:yes:yes) systemd.x86_64: E: polkit-unauthorized-privilege (Badness: 10000) org.freedesktop.login1.inhibit-delay-shutdown (yes:yes:yes) systemd.x86_64: E: polkit-unauthorized-privilege (Badness: 10000) org.freedesktop.login1.inhibit-block-sleep (no:yes:yes) systemd.x86_64: E: polkit-unauthorized-privilege (Badness: 10000) org.freedesktop.login1.inhibit-delay-sleep (yes:yes:yes) systemd.x86_64: E: polkit-unauthorized-privilege (Badness: 10000) org.freedesktop.login1.inhibit-block-idle (yes:yes:yes) systemd.x86_64: E: polkit-unauthorized-privilege (Badness: 10000) org.freedesktop.login1.inhibit-handle-power-key (no:yes:yes) systemd.x86_64: E: polkit-unauthorized-privilege (Badness: 10000) org.freedesktop.login1.inhibit-handle-suspend-key (no:yes:yes) systemd.x86_64: E: polkit-unauthorized-privilege (Badness: 10000) org.freedesktop.login1.inhibit-handle-hibernate-key (no:yes:yes) systemd.x86_64: E: polkit-unauthorized-privilege (Badness: 10000) org.freedesktop.login1.inhibit-handle-lid-switch (no:yes:yes) systemd.x86_64: E: polkit-unauthorized-privilege (Badness: 10000) org.freedesktop.login1.suspend (auth_admin_keep:auth_admin_keep:yes) systemd.x86_64: E: polkit-unauthorized-privilege (Badness: 10000) org.freedesktop.login1.suspend-multiple-sessions (auth_admin_keep:auth_admin_keep:yes) systemd.x86_64: E: polkit-unauthorized-privilege (Badness: 10000) org.freedesktop.login1.hibernate (auth_admin_keep:auth_admin_keep:yes) The package allows unprivileged users to carry out privileged operations without authentication. This could cause security problems if not done carefully. If the package is intended for inclusion in any SUSE product please open a bug report to request review of the package by the security team systemd.x86_64: I: polkit-cant-acquire-privilege org.freedesktop.login1.inhibit-block-shutdown (no:yes:yes) systemd.x86_64: I: polkit-cant-acquire-privilege org.freedesktop.login1.inhibit-block-sleep (no:yes:yes) systemd.x86_64: I: polkit-cant-acquire-privilege org.freedesktop.login1.inhibit-handle-power-key (no:yes:yes) systemd.x86_64: I: polkit-cant-acquire-privilege org.freedesktop.login1.inhibit-handle-suspend-key (no:yes:yes) systemd.x86_64: I: polkit-cant-acquire-privilege org.freedesktop.login1.inhibit-handle-hibernate-key (no:yes:yes) systemd.x86_64: I: polkit-cant-acquire-privilege org.freedesktop.login1.inhibit-handle-lid-switch (no:yes:yes) Usability can be improved by allowing users to acquire privileges via authentication. Use e.g. 'auth_admin' instead of 'no' and make sure to define 'allow_any'. This is an issue only if the privilege is not listed in /etc /polkit-default-privs.* -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.