Bug ID | 1092192 |
---|---|
Summary | liblxqt polkit-unauthorized-privilege review |
Classification | openSUSE |
Product | openSUSE Tumbleweed |
Version | Current |
Hardware | Other |
OS | Other |
Status | NEW |
Severity | Normal |
Priority | P5 - None |
Component | Security |
Assignee | security-team@suse.de |
Reporter | mvetter@suse.com |
QA Contact | qa-bugs@suse.de |
Found By | --- |
Blocker | --- |
Current X11:LXQt:git/liblxqt package has a new change: > [ 87s] liblxqt0.x86_64: I: polkit-cant-acquire-privilege org.lxqt.backlight.pkexec (no:no:yes) > [ 87s] Usability can be improved by allowing users to acquire privileges via > [ 87s] authentication. Use e.g. 'auth_admin' instead of 'no' and make sure to define > [ 87s] 'allow_any'. This is an issue only if the privilege is not listed in > [ 87s] /etc/polkit-default-privs.* > [ 87s] > [ 87s] liblxqt0.x86_64: E: polkit-unauthorized-privilege (Badness: 10000) org.lxqt.backlight.pkexec (no:no:yes) > [ 87s] The package allows unprivileged users to carry out privileged operations > [ 87s] without authentication. This could cause security problems if not done > [ 87s] carefully. If the package is intended for inclusion in any SUSE product please > [ 87s] open a bug report to request review of the package by the security team They added a new binary, lxqt-backlight_backend, and polkit file: https://github.com/lxqt/liblxqt/tree/master/lxqtbacklight https://github.com/lxqt/liblxqt/blob/master/polkit/org.lxqt.backlight.pkexec.policy.in This is only in the git package yet. I will use setBadness() to build binaries anyway. For testing. I was not sure whether I should open this bug once an upstream release is out or now already, so that we have solves this when the release happens.