| Bug ID | 1208808 |
|---|---|
| Summary | hotspot: review dbus / polkit rules |
| Classification | openSUSE |
| Product | openSUSE Tumbleweed |
| Version | Current |
| Hardware | Other |
| OS | Other |
| Status | NEW |
| Severity | Normal |
| Priority | P5 - None |
| Component | Security |
| Assignee | security-team@suse.de |
| Reporter | christophe@krop.fr |
| QA Contact | qa-bugs@suse.de |
| Found By | --- |
| Blocker | --- |
The last hotspot release installs the following files in order to run the `perf` utility with elevated privileges: /usr/share/dbus-1/system.d/com.kdab.hotspot.perf.conf /usr/share/dbus-1/system-services/com.kdab.hotspot.perf.service /usr/share/polkit-1/actions/com.kdab.hotspot.perf.policy Sources URL: https://github.com/KDAB/hotspot/tree/1.4 and notably https://github.com/KDAB/hotspot/blob/master/src/hotspot-perf-authhelper.actions which is processed by kauth. The package update is currently available in a branch: https://build.opensuse.org/package/show/home:krop:branches:devel:tools/hotspot # cat com.kdab.hotspot.perf.conf <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> <busconfig> <!-- Only user root can own the foo helper --> <policy user="root"> <allow own="com.kdab.hotspot.perf"/> </policy> </busconfig> --- # cat com.kdab.hotspot.perf.service [D-BUS Service] Name=com.kdab.hotspot.perf Exec=/usr/libexec/kauth/hotspot-auth-helper User=root --- # cat com.kdab.hotspot.perf.policy <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN" "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd"> <policyconfig> <action id="com.kdab.hotspot.perf.elevate" > <description>Elevate Privileges</description> <message>allows to run perf as root</message> <defaults> <allow_inactive>no</allow_inactive> <allow_active>auth_admin_keep</allow_active> </defaults> </action> </policyconfig>