[Bug 1208689] New: AUDIT-0: kde-inotify-survey: review of D-Bus service AND Polkit actions
http://bugzilla.opensuse.org/show_bug.cgi?id=1208689 Bug ID: 1208689 Summary: AUDIT-0: kde-inotify-survey: review of D-Bus service AND Polkit actions Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: openSUSE Tumbleweed Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: idesmi@protonmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- This is about a new submission request to KDE:Extra and later on to Factory. https://build.opensuse.org/request/show/1067849 kde-inotify-survey is a KDE project that lives here: https://invent.kde.org/system/kde-inotify-survey Errors in RPM lint: E: polkit-untracked-privilege (Badness: 10) org.kde.kded.inotify.increaseinstancelimit (no:no:auth_admin) E: polkit-untracked-privilege (Badness: 10) org.kde.kded.inotify.increasewatchlimit (no:no:auth_admin) E: dbus-file-unauthorized (Badness: 10) /usr/share/dbus-1/system.d/org.kde.kded.inotify.conf (sha256 file digest default filter:b05d2600ec47a5fb24b1e0acffcf5a06f4d0b5707d80ffe26a1ef79c7eaa6550 shell filter:d17479783b3d85f320757e085e8f45fbb5789281e5cab6fe6cecc9ac3f57a581 xml filter:4eb68f2c3bc75842df0f3d67874588fc672ec540769db09c3a71cbb292a989f7) E: dbus-file-unauthorized (Badness: 10) /usr/share/dbus-1/system-services/org.kde.kded.inotify.service (sha256 file digest default filter:89a2ce5a4c6ebd7cb471f820a28fbd2dd418e377cb2ed0eaea1af59840c1dabd shell filter:89a2ce5a4c6ebd7cb471f820a28fbd2dd418e377cb2ed0eaea1af59840c1dabd xml filter:<failed-to-calculate>) E: communication not allowed /usr/share/dbus-1/system.d/org.kde.kded.inotify.conf -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1208689 http://bugzilla.opensuse.org/show_bug.cgi?id=1208689#c1 Wolfgang Frisch <wolfgang.frisch@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CONFIRMED CC| |wolfgang.frisch@suse.com Assignee|security-team@suse.de |wolfgang.frisch@suse.com --- Comment #1 from Wolfgang Frisch <wolfgang.frisch@suse.com> --- Thanks for your bug report. I intend work on it shortly. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1208689 Wolfgang Frisch <wolfgang.frisch@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CONFIRMED |IN_PROGRESS -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1208689 http://bugzilla.opensuse.org/show_bug.cgi?id=1208689#c3 --- Comment #3 from Wolfgang Frisch <wolfgang.frisch@suse.com> --- I'm done with the review. There's one generated D-Bus Service running as root: ``` [D-BUS Service] Name=org.kde.kded.inotify Exec=/usr/libexec/kauth/kded-inotify-helper User=root ``` This is only accessible with admin privileges. Beyond this, there are 3 components: - `helper/`: - the aforementioned D-Bus service, running as root - requires admin permissions - includes code in `survey/` - `survey/`: - Crawls /proc - No obvious flaws, except that it's inherently prone to race conditions, but this does not matter in this case. The count does not have to be perfect to be useful. - `kded/`: - module for KDED - exposes a user-accessible D-Bus method org.kde.kded5:/modules/inotify/refresh(), unprivileged Apart from that there's an unprivileged kded module. All good. I will proceed with the whitelisting. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1208689 http://bugzilla.opensuse.org/show_bug.cgi?id=1208689#c4 --- Comment #4 from Wolfgang Frisch <wolfgang.frisch@suse.com> --- I'm done with the review. There's one generated D-Bus Service running as root: ``` [D-BUS Service] Name=org.kde.kded.inotify Exec=/usr/libexec/kauth/kded-inotify-helper User=root ``` This is only accessible with admin privileges. Beyond this, there are 3 components: - `helper/`: - the aforementioned D-Bus service, running as root - requires admin permissions - includes code in `survey/` - `survey/`: - Crawls /proc - No obvious flaws, except that it's inherently prone to race conditions, but this does not matter in this case. The count does not have to be perfect to be useful. - `kded/`: - module for KDED - exposes a user-accessible D-Bus method org.kde.kded5:/modules/inotify/refresh(), unprivileged All good. I will proceed with the whitelisting. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1208689 http://bugzilla.opensuse.org/show_bug.cgi?id=1208689#c5 --- Comment #5 from Wolfgang Frisch <wolfgang.frisch@suse.com> --- In progress. D-Bus service: https://github.com/rpm-software-management/rpmlint/pull/1016 https://build.opensuse.org/request/show/1069937 Polkit privileges: https://github.com/openSUSE/polkit-default-privs/pull/88 https://build.opensuse.org/request/show/1069931 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1208689 http://bugzilla.opensuse.org/show_bug.cgi?id=1208689#c6 Wolfgang Frisch <wolfgang.frisch@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED --- Comment #6 from Wolfgang Frisch <wolfgang.frisch@suse.com> --- Both submissions accepted into Factory! Resolved as far as I'm concerned. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com