[Bug 1205939] New: AUDIT-WHITELIST: lightdm: move dbus system.d file to /usr

newer
[Bug 1205891] System freeze

older
[Bug 1206007] pulseaudio cannot...

bugzilla_noreply＠suse.com

1 Dec 2022 1 Dec '22

14:54

https://bugzilla.suse.com/show_bug.cgi?id=1205939 Bug ID: 1205939 Summary: AUDIT-WHITELIST: lightdm: move dbus system.d file to /usr Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: gmbr3@opensuse.org QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Already in devel prj - but no-one has filed for completion https://build.opensuse.org/package/show/X11:Utilities/lightdm Move /etc/dbus-1/system.d/org.freedesktop.DisplayManager.conf to /usr/share/dbus-1/system.d/org.freedesktop.DisplayManager.conf -- You are receiving this mail because: You are on the CC list for the bug.

Attachments:

attachment.html (text/html — 2.4 KB)

Show replies by date

bugzilla_noreply＠suse.com

2 Dec 2 Dec

10:13

New subject: [Bug 1205939] AUDIT-WHITELIST: lightdm: move dbus system.d file to /usr

https://bugzilla.suse.com/show_bug.cgi?id=1205939 https://bugzilla.suse.com/show_bug.cgi?id=1205939#c1 Matthias Gerstner changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|security-team@suse.de |matthias.gerstner@suse.com --- Comment #1 from Matthias Gerstner --- I will look into it. -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠suse.com

12:25

New subject: [Bug 1205939] AUDIT-WHITELIST: lightdm: move dbus system.d file to /usr

https://bugzilla.suse.com/show_bug.cgi?id=1205939 https://bugzilla.suse.com/show_bug.cgi?id=1205939#c2 Matthias Gerstner changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS --- Comment #2 from Matthias Gerstner --- It has been a while since we looked into lightdm so I will have a look around the current D-Bus implementation before whitelisting this new path. -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠suse.com

15:05

New subject: [Bug 1205939] AUDIT-WHITELIST: lightdm: move dbus system.d file to /usr

https://bugzilla.suse.com/show_bug.cgi?id=1205939 https://bugzilla.suse.com/show_bug.cgi?id=1205939#c3 --- Comment #3 from Matthias Gerstner --- The D-Bus interface is rather small but strangely completely unauthenticated. It allows all local users (included nobody et al) to e.g. lock an active session or switch between sessions. Also the creation of a session seems in reach, however in my tests it failed for some reason that I don't fully understand. Maybe we can configure something in our packaging that leaves less attack surface there ... -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠suse.com

15:08

New subject: [Bug 1205939] AUDIT-WHITELIST: lightdm: move dbus system.d file to /usr

https://bugzilla.suse.com/show_bug.cgi?id=1205939 https://bugzilla.suse.com/show_bug.cgi?id=1205939#c4 Callum Farmer changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |sor.alexei@meowr.ru --- Comment #4 from Callum Farmer --- (In reply to Matthias Gerstner from comment #3)

...

The D-Bus interface is rather small but strangely completely unauthenticated. It allows all local users (included nobody et al) to e.g. lock an active session or switch between sessions. Also the creation of a session seems in reach, however in my tests it failed for some reason that I don't fully understand.

Maybe we can configure something in our packaging that leaves less attack surface there ...

CC'ing maintainer -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠suse.com

5 Dec 5 Dec

14:13

New subject: [Bug 1205939] AUDIT-WHITELIST: lightdm: move dbus system.d file to /usr

https://bugzilla.suse.com/show_bug.cgi?id=1205939 https://bugzilla.suse.com/show_bug.cgi?id=1205939#c5 --- Comment #5 from Matthias Gerstner --- The codebase of lightdm does not support any restrictions for calling these methods. Polkit support is not present. On D-Bus configuration file level there exists the deprecated 'at_console' setting that could be used but it is also not properly implemented. This means that there is nothing clean that we can do to address the issue on the packaging level. On the code level one could try to ask systemd whether the calling users is in a logged in session and allow only them to issue calls. I will ask upstream what their thoughts about this are. -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠suse.com

6 Dec 6 Dec

13:16

New subject: [Bug 1205939] AUDIT-WHITELIST: lightdm: move dbus system.d file to /usr

https://bugzilla.suse.com/show_bug.cgi?id=1205939 https://bugzilla.suse.com/show_bug.cgi?id=1205939#c6 Matthias Gerstner changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED --- Comment #6 from Matthias Gerstner --- I have adjusted the whitelisting and it should be effective within a couple of days. Regarding the unprocted D-Bus interface, sddm is doing more or less the same. I will ask upstream about it separately from this bug. -- You are receiving this mail because: You are on the CC list for the bug.

568

Age (days ago)

573

Last active (days ago)

List overview

Download

6 comments

1 participants

participants (1)

bugzilla_noreply＠suse.com