[Bug 864716] New: AUDIT-0: libKF5Auth4.x86_64: W: suse-dbus-unauthorized-service /etc/dbus-1/system.d/org.kde.kf5auth.conf
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c0 Summary: AUDIT-0: libKF5Auth4.x86_64: W: suse-dbus-unauthorized-service /etc/dbus-1/system.d/org.kde.kf5auth.conf Classification: openSUSE Product: openSUSE Factory Version: 13.2 Milestone 0 Platform: Other OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: hrvoje.senjan@gmail.com QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.91 Safari/537.36 SUSE/33.0.1750.91 Source can be found at KDE:Frameworks5/kauth. As with kinit package, code is just ported to Qt5/KF5. org.kde.kf5auth.conf was renamed from org.kde.auth.conf so it can be co-installed with kdelibs4 package(s) Thus - asking for whitelist =) Thanks! Reproducible: Always -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c1
--- Comment #1 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c2
--- Comment #2 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c4
--- Comment #4 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c5
Raymond Wooninck
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c6
Raymond Wooninck
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c7
Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c8
--- Comment #8 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c9
--- Comment #9 from Raymond Wooninck
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c10
--- Comment #10 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c11
Hrvoje Senjan
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c12
--- Comment #12 from Raymond Wooninck
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c13
--- Comment #13 from Hrvoje Senjan
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c14
--- Comment #14 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c15
--- Comment #15 from Raymond Wooninck
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c16
--- Comment #16 from Hrvoje Senjan
Thats racy and the thing we want to fix. Your patch proposal also integrates the uid, but I fear thats the uid of the currently running process (root == 0). From the small patch I cannot see where the uid is coming from. If that would be the uid of the requesting user, that would be fine (although not perfect if suid helpers request DBUS services). In reality, we have no SUID helpers in KDE - except for the kdeinit's OOM killer ;-) UID is the one of the requesting user - i've tested the patch, and from user perspective, things still operate as before - e.g. for killing other users processes in KSysGuard i need to enter root pass, also for changing clock, etc.
The preferred way is to use system-bus-name polkit authorization. polkit-qt bindings seem to offer SystemBusNameSubject class already, so is it possible to use that in KAuth rather than UnixProcess subjects? As Raymond pointed out, our chances for chaning the internals are more for the KAuth framework/polkiq-qt-1 based on Qt5, rather than in kdelibs4/Qt4 world...
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c17
Raymond Wooninck
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c18
--- Comment #18 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c19
--- Comment #19 from Raymond Wooninck
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c20
Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c21
Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c22
Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c23
--- Comment #23 from Raymond Wooninck
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c24
--- Comment #24 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c25
Hrvoje Senjan
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c26
--- Comment #26 from Sebastian Krahmer
We just disabled KAuth for SLE12 due to the unpatched hole, see bnc#873135
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c27
--- Comment #27 from Hrvoje Senjan
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c28
Raymond Wooninck
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c29
--- Comment #29 from Luca Beltrame
s the KDE folks was not responding to various mails from us
security@ko is not the right place to ask these questions. Either contact Martin Briza (see previous message from Hrvoje) or mail the Frameworks mailing list (kde-frameworks-devel@kde.org). These are the best places to contact upstream. Nevertheless, this should not block KAuth from entering Factory. Not having this breaks several components needed for a basic desktop experience, including power management. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c30
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c31
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c32
--- Comment #32 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c33
--- Comment #33 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c34
--- Comment #34 from Luca Beltrame
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c35
--- Comment #35 from Luca Beltrame
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c36
--- Comment #36 from Luca Beltrame
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c37
--- Comment #37 from Hrvoje Senjan
The problem in KAuth is that due to the layers there is no way to determine who actually is trying to authenticate the polkit action. The dbus sender is not available that should be used for this. And getuid() might be misleading because its already running as root due to DBUS activation on behalf of the user we want to authenticate.
If the (potential) vulnerability is in case of SUID helpers, we can have this case closed. As i wrote somewhere above, Qt, since 5.3, aborts action if the Q*Application is SUID. Applications can explicitly override this, but i am happy to add a patch to our Qt5 packages that would also disallow even that. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c38
Bruno Friedmann
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c39
--- Comment #39 from Ismail Donmez
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c40
--- Comment #40 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c41
--- Comment #41 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c42
--- Comment #42 from Luca Beltrame
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c43
--- Comment #43 from Luca Beltrame
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c44
--- Comment #44 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c45
--- Comment #45 from Raymond Wooninck
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c46
--- Comment #46 from Luca Beltrame
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c47
--- Comment #47 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c48
--- Comment #48 from Luca Beltrame
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c49
--- Comment #49 from Luca Beltrame
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c50
--- Comment #50 from Luca Beltrame
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c51
--- Comment #51 from Luca Beltrame
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c52
Ismail Donmez
Created an attachment (id=598877) --> (http://bugzilla.novell.com/attachment.cgi?id=598877) [details] Patch to KAuth
Patch by Martin Sandsmark from KDE. Is this what is needed?
Patch looks right but I am not an expert. NEEDINFO for Sebastian. Also could you please test the patched kdelibs and make sure systemsettings->clock still works as expected? Thanks a lot! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c53
--- Comment #53 from Hrvoje Senjan
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c54
--- Comment #54 from Luca Beltrame
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c55
Hrvoje Senjan
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c56
--- Comment #56 from Hrvoje Senjan
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c57
--- Comment #57 from Luca Beltrame
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c58
--- Comment #58 from Ismail Donmez
@Ismail: From a functional point of view, the patch works in both the KF5 and the kdelibs 4.x versions (tested: backlight helper for PM init, ksysguard process helper, date and time helper).
Thanks a lot for handling this. A crippled KDE means a black eye for openSUSE and SLE, for which we never wanted to cripple it in the first place.
All that's left to know if it addresses the security concerns.
As soon as Sebastian approves we can proceed. I'll handle the SLE side obviously. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c59
--- Comment #59 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c60
--- Comment #60 from Luca Beltrame
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c61
--- Comment #61 from Luca Beltrame
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c62
--- Comment #62 from Luca Beltrame
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c63
--- Comment #63 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c64
--- Comment #64 from Hrvoje Senjan
Sebastian is not present on Thursday and Friday.
I am not so familar with kauth/polkit.
Not sure if it is correct, we match the system busname (?) and not client identifiers?
Luca, did you also do negative checks? like testing that stuff corrctly gets forbidden or admin dialog popups?
In case of successful authentication, one now gets e.g.: polkitd[22395]: 06:46:24.368: Operator of unix-session:59 successfully authenticated as unix-user:root to gain ONE-SHOT authorization for action org.kde.ksysguard.processlisthelper.sendsignal for system-bus-name::1.3728 [/usr/bin/systemmonitor] (owned by unix-user:hrvoje) in case of failure: polkitd[22395]: Operator of unix-session:59 FAILED to authenticate to gain authorization for action org.kde.ksysguard.processlisthelper.sendsignal for system-bus-name::1.3885 [/usr/bin/systemmonitor] (owned by unix-user:hrvoje) So this indeed looks like the procedure that was asked for ;-) (In reply to comment #63)
I think we are probably good for approval and I will do that Many thanks for resolving this! (also to others involved!)
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c65
--- Comment #65 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c66
--- Comment #66 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c67
Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c68
Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c69
--- Comment #69 from Luca Beltrame
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c70
--- Comment #70 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c71
Ismail Donmez
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c72
--- Comment #72 from Luca Beltrame
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c73
Hrvoje Senjan
FYI, the patch has been merged upstream for both 4.13, 4.14 and KF5.
once we get CVE, i'll start maintenance sr's for 12.3 and 13.1. this one can be closed now though -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c75
Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c76
--- Comment #76 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c77
--- Comment #77 from Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=864716
Peter B
http://bugzilla.novell.com/show_bug.cgi?id=864716
Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=864716
SMASH SMASH
http://bugzilla.novell.com/show_bug.cgi?id=864716
SMASH SMASH
http://bugzilla.novell.com/show_bug.cgi?id=864716
SMASH SMASH
http://bugzilla.novell.com/show_bug.cgi?id=864716
SMASH SMASH
http://bugzilla.novell.com/show_bug.cgi?id=864716
SMASH SMASH
participants (1)
-
bugzilla_noreply@novell.com