Bug ID | 1125432 |
---|---|
Summary | AUDIT-0: gnome-initial-setup: purpose of /usr/share/polkit-1/rules.d/20-gnome-initial-setup.rules |
Classification | openSUSE |
Product | openSUSE Tumbleweed |
Version | Current |
Hardware | Other |
OS | Other |
Status | NEW |
Severity | Normal |
Priority | P5 - None |
Component | Security |
Assignee | qzhao@suse.com |
Reporter | matthias.gerstner@suse.com |
QA Contact | qa-bugs@suse.de |
CC | security-team@suse.de |
Found By | --- |
Blocker | --- |
As explained in bug 1125314 we are currently looking into polkit rules files installed into /usr/share/polkit-1/rules.d. In the future we want to apply a whitelisting restriction to rule files installed there. gnome-initial-setup installs the rules file /usr/share/polkit-1/rules.d/20-gnome-initial-setup.rules. These rules probably never went through a review with the security team. Since the file starts with '20-' it will take precedence over our polkit-default-privs. This rules file allows the user "gnome-initial-setup" to perform any of the following actions without password authentication, if coming from a local session: org.freedesktop.udisks2.filesystem-mount-system org.freedesktop.hostname1.* org.freedesktop.NetworkManager.* org.freedesktop.locale1.* org.freedesktop.packagekit.system-sources-configure org.freedesktop.accounts.* org.freedesktop.timedate1.* org.freedesktop.realmd.* org.freedesktop.RealtimeKit1.* That is quite a lot of power. Can you explain under which circumstances this gnome-initial-setup user is coming into play? How is the user logged in, does he have a password and so on. Thank you!