Bug ID 1125432
Summary AUDIT-0: gnome-initial-setup: purpose of /usr/share/polkit-1/rules.d/20-gnome-initial-setup.rules
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee qzhao@suse.com
Reporter matthias.gerstner@suse.com
QA Contact qa-bugs@suse.de
CC security-team@suse.de
Found By ---
Blocker --- 

As explained in bug 1125314 we are currently looking into polkit rules files
installed into /usr/share/polkit-1/rules.d. In the future we want to apply a
whitelisting restriction to rule files installed there.

gnome-initial-setup installs the rules file
/usr/share/polkit-1/rules.d/20-gnome-initial-setup.rules. These rules probably
never went through a review with the security team. Since the file starts with
'20-' it will take precedence over our polkit-default-privs.

This rules file allows the user "gnome-initial-setup" to perform any of the
following actions without password authentication, if coming from a local
session:

org.freedesktop.udisks2.filesystem-mount-system
org.freedesktop.hostname1.*
org.freedesktop.NetworkManager.*
org.freedesktop.locale1.*
org.freedesktop.packagekit.system-sources-configure
org.freedesktop.accounts.*
org.freedesktop.timedate1.*
org.freedesktop.realmd.*
org.freedesktop.RealtimeKit1.*

That is quite a lot of power. Can you explain under which circumstances this
gnome-initial-setup user is coming into play? How is the user logged in, does
he have a password and so on.

Thank you!

You are receiving this mail because: