Bug ID 1092192
Summary liblxqt polkit-unauthorized-privilege review
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter mvetter@suse.com
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

Current X11:LXQt:git/liblxqt package has a new change:

> [   87s] liblxqt0.x86_64: I: polkit-cant-acquire-privilege org.lxqt.backlight.pkexec (no:no:yes)
> [   87s] Usability can be improved by allowing users to acquire privileges via
> [   87s] authentication. Use e.g. 'auth_admin' instead of 'no' and make sure to define
> [   87s] 'allow_any'. This is an issue only if the privilege is not listed in
> [   87s] /etc/polkit-default-privs.*
> [   87s] 
> [   87s] liblxqt0.x86_64: E: polkit-unauthorized-privilege (Badness: 10000) org.lxqt.backlight.pkexec (no:no:yes)
> [   87s] The package allows unprivileged users to carry out privileged operations
> [   87s] without authentication. This could cause security problems if not done
> [   87s] carefully. If the package is intended for inclusion in any SUSE product please
> [   87s] open a bug report to request review of the package by the security team

They added a new binary, lxqt-backlight_backend, and polkit file:

https://github.com/lxqt/liblxqt/tree/master/lxqtbacklight
https://github.com/lxqt/liblxqt/blob/master/polkit/org.lxqt.backlight.pkexec.policy.in

This is only in the git package yet.

I will use setBadness() to build binaries anyway. For testing.

I was not sure whether I should open this bug once an upstream release is out
or now already, so that we have solves this when the release happens.

You are receiving this mail because: