[Bug 1204026] New: AUDIT-0: fwupd: review of 2 new polkit-untracked-privilege - fwupd version 1.8.5
http://bugzilla.opensuse.org/show_bug.cgi?id=1204026 Bug ID: 1204026 Summary: AUDIT-0: fwupd: review of 2 new polkit-untracked-privilege - fwupd version 1.8.5 Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem Assignee: screening-team-bugs@suse.de Reporter: bjorn.lie@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- New update of fwupd brings new privs - please review. fwupd.x86_64: E: polkit-untracked-privilege (Badness: 10) org.freedesktop.fwupd.get-bios-settings (auth_admin:no:auth_admin_keep) fwupd.x86_64: E: polkit-untracked-privilege (Badness: 10) org.freedesktop.fwupd.set-bios-settings (auth_admin:no:auth_admin) Updated package can be found in https://build.opensuse.org/package/show/home:iznogood:branches:Base:System/f... aka branch of Base:System/fwupd Upstream git https://github.com/fwupd/fwupd -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1204026 http://bugzilla.opensuse.org/show_bug.cgi?id=1204026#c1 Bj�rn Lie <bjorn.lie@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dimstar@opensuse.org, | |glin@suse.com, | |jlee@suse.com, | |meissner@suse.com Assignee|screening-team-bugs@suse.de |security-team@suse.de --- Comment #1 from Bj�rn Lie <bjorn.lie@gmail.com> --- Assigning to sec-team + adding fwupd maintainers to CC list -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1204026 Joey Lee <jlee@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dennis.tseng@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1204026 Frank Kr�ger <fkrueger@mailbox.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fkrueger@mailbox.org -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1204026 http://bugzilla.opensuse.org/show_bug.cgi?id=1204026#c4 --- Comment #4 from Bj�rn Lie <bjorn.lie@gmail.com> --- (In reply to Matthias Gerstner from comment #3)
Still I would like to ask you to check with upstream what they intend to achieve with such logic. There is a certain danger that future coders interpret this flag wrongly and use it also in privileged D-Bus functions.
I'm not sure whether getting BIOS settings is not also already to some level privileged. But fwupd is rather lax in other areas already when it comes to obtaining system information without authentication.
Please get in contact with upstream about this before I whitelist the new actions.
I could do that, but frankly since I do not know nor understand the security implications, it would mean that I'd just have to copypaste the reply from here as a question in a issue. It would probably be a lot more fruitful if you as a person who understands these matters did that yourself. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1204026 http://bugzilla.opensuse.org/show_bug.cgi?id=1204026#c5 --- Comment #5 from Bj�rn Lie <bjorn.lie@gmail.com> --- Upstream url https://github.com/fwupd/fwupd -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1204026 http://bugzilla.opensuse.org/show_bug.cgi?id=1204026#c8 --- Comment #8 from OBSbugzilla Bot <bwiedemann+obsbugzillabot@suse.com> --- This is an autogenerated message for OBS integration: This bug (1204026) was mentioned in https://build.opensuse.org/request/show/1029704 Factory / polkit-default-privs -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1204026 http://bugzilla.opensuse.org/show_bug.cgi?id=1204026#c9 --- Comment #9 from Bj�rn Lie <bjorn.lie@gmail.com> --- That is great news! Thank you very much for handling this in an exemplary manner. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1204026 http://bugzilla.opensuse.org/show_bug.cgi?id=1204026#c10 Bj�rn Lie <bjorn.lie@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED --- Comment #10 from Bj�rn Lie <bjorn.lie@gmail.com> --- Closing as resolved fixed, whitelisting in Factory + fwupd update on its way there. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com