[Bug 1205607] New: kio-admin: Review polkit/dbus policies
http://bugzilla.opensuse.org/show_bug.cgi?id=1205607 Bug ID: 1205607 Summary: kio-admin: Review polkit/dbus policies Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: fabian@ritter-vogt.de QA Contact: qa-bugs@suse.de CC: opensuse-kde-bugs@opensuse.org Found By: --- Blocker: --- kio-admin is a KIO protocol which allows to perform operations on files with root permissions. https://invent.kde.org/system/kio-admin Currently built at https://build.opensuse.org/package/show/home:Vogtinator:kio-admin/kio-admin, but should be available as https://build.opensuse.org/package/show/KDE:Extra/kio-admin soon. kio-admin.x86_64: E: polkit-untracked-privilege (Badness: 10) org.kde.kio.admin.commands (no:no:auth_admin_keep) kio-admin.x86_64: E: dbus-file-unauthorized (Badness: 10) /usr/share/dbus-1/system.d/org.kde.kio.admin.conf (sha256 file digest default filter:f2ab0c179b522385dbe16b52da5bbac09fc97bf11385d735724c7bd42b2a1154 shell filter:9cd5b6a4d75826760739481727d1d2e5d5b0b7ed7bac420d2d55cee4733b4607 xml filter:27fe3098931a301fcbe871e319f8fd6e50138447dec1080935151c41b29703c9) kio-admin.x86_64: E: dbus-file-unauthorized (Badness: 10) /usr/share/dbus-1/system-services/org.kde.kio.admin.service (sha256 file digest default filter:761336d6c9cb715d1e8c4fcedecdf1f5f73a251607e782a64f82e4fd38d94635 shell filter:9d258158403c4f735a94895a1cf681dc6e51a14d033e7ab567b063e7840db50d xml filter:<failed-to-calculate>) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1205607 http://bugzilla.opensuse.org/show_bug.cgi?id=1205607#c2 --- Comment #2 from Fabian Vogt <fabian@ritter-vogt.de> --- This is actually a separate development from the original approach to including that inside file://. While the previous design had a small helper used by file://: KIO -> file:// -> helper This one is a separate protocol which internally uses file:// as root: KIO -> admin:// -> helper -> KIO -> file:// https://apachelog.wordpress.com/2022/08/04/kio-admin/ has a short explanation.
So this seems to be the release of the long standing efforts to generalize privileged file operations in KDE. It has about 1.500 lines of C++ code.
I tried to give some advice to the upstream devs but it seems it didn't help much on the design level. There is only a single polkit authorization rule 'org.kde.kio.admin.commands' for _all_ of the file operations. And given this, there are naturally no transparent authentication messages. This means end users will once more authenticate unknown file system operations in unknown locations. And based on the `auth_admin_keep` Polkit setting an arbitrary number of arbitrary follow-up operations can ensue.
The operations are split over separate DBus paths, so I imagine they could be split in polkit as well.
Design wise kio-admin is now more or less a copy of what gvfs-admin is for Gnome. Given this model future uses of these facilities are also beyond our monitoring. We can attempt to check how much gvfs-admin is already used in Gnome software to get a better feeling for how much that is. I have a gut feeling that for KDE the future use will be more extensive than it is or will be on Gnome. The KDE development culture seems to embrace the use of frameworks and integration more than Gnome does.
FWICT this is meant to be used directly by the user, not internally by applications.
Since accompanying the upstream development process also didn't help getting an improved design I don't see much else possibilities here than to accept it the way it is. I will discuss with the rest of the team first, though. A basic review of the code is also still required.
While this is an independent implementation by someone who was not directly involved in the other (meanwhile abandoned?) approach, this is more flexible because it's not intertwined with core KIO code. Requesting design changes should be much easier here. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com