http://bugzilla.suse.com/show_bug.cgi?id=1092192 Bug ID: 1092192 Summary: liblxqt polkit-unauthorized-privilege review Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mvetter@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Current X11:LXQt:git/liblxqt package has a new change:
[ 87s] liblxqt0.x86_64: I: polkit-cant-acquire-privilege org.lxqt.backlight.pkexec (no:no:yes) [ 87s] Usability can be improved by allowing users to acquire privileges via [ 87s] authentication. Use e.g. 'auth_admin' instead of 'no' and make sure to define [ 87s] 'allow_any'. This is an issue only if the privilege is not listed in [ 87s] /etc/polkit-default-privs.* [ 87s] [ 87s] liblxqt0.x86_64: E: polkit-unauthorized-privilege (Badness: 10000) org.lxqt.backlight.pkexec (no:no:yes) [ 87s] The package allows unprivileged users to carry out privileged operations [ 87s] without authentication. This could cause security problems if not done [ 87s] carefully. If the package is intended for inclusion in any SUSE product please [ 87s] open a bug report to request review of the package by the security team
They added a new binary, lxqt-backlight_backend, and polkit file: https://github.com/lxqt/liblxqt/tree/master/lxqtbacklight https://github.com/lxqt/liblxqt/blob/master/polkit/org.lxqt.backlight.pkexec... This is only in the git package yet. I will use setBadness() to build binaries anyway. For testing. I was not sure whether I should open this bug once an upstream release is out or now already, so that we have solves this when the release happens. -- You are receiving this mail because: You are on the CC list for the bug.