[Bug 1204026] New: AUDIT-0: fwupd: review of 2 new polkit-untracked-privilege - fwupd version 1.8.5
http://bugzilla.opensuse.org/show_bug.cgi?id=1204026 Bug ID: 1204026 Summary: AUDIT-0: fwupd: review of 2 new polkit-untracked-privilege - fwupd version 1.8.5 Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem Assignee: screening-team-bugs@suse.de Reporter: bjorn.lie@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- New update of fwupd brings new privs - please review. fwupd.x86_64: E: polkit-untracked-privilege (Badness: 10) org.freedesktop.fwupd.get-bios-settings (auth_admin:no:auth_admin_keep) fwupd.x86_64: E: polkit-untracked-privilege (Badness: 10) org.freedesktop.fwupd.set-bios-settings (auth_admin:no:auth_admin) Updated package can be found in https://build.opensuse.org/package/show/home:iznogood:branches:Base:System/f... aka branch of Base:System/fwupd Upstream git https://github.com/fwupd/fwupd -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1204026
http://bugzilla.opensuse.org/show_bug.cgi?id=1204026#c1
Bj�rn Lie
http://bugzilla.opensuse.org/show_bug.cgi?id=1204026
Joey Lee
http://bugzilla.opensuse.org/show_bug.cgi?id=1204026
Frank Kr�ger
http://bugzilla.opensuse.org/show_bug.cgi?id=1204026
http://bugzilla.opensuse.org/show_bug.cgi?id=1204026#c4
--- Comment #4 from Bj�rn Lie
Still I would like to ask you to check with upstream what they intend to achieve with such logic. There is a certain danger that future coders interpret this flag wrongly and use it also in privileged D-Bus functions.
I'm not sure whether getting BIOS settings is not also already to some level privileged. But fwupd is rather lax in other areas already when it comes to obtaining system information without authentication.
Please get in contact with upstream about this before I whitelist the new actions.
I could do that, but frankly since I do not know nor understand the security implications, it would mean that I'd just have to copypaste the reply from here as a question in a issue. It would probably be a lot more fruitful if you as a person who understands these matters did that yourself. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1204026
http://bugzilla.opensuse.org/show_bug.cgi?id=1204026#c5
--- Comment #5 from Bj�rn Lie
http://bugzilla.opensuse.org/show_bug.cgi?id=1204026
http://bugzilla.opensuse.org/show_bug.cgi?id=1204026#c8
--- Comment #8 from OBSbugzilla Bot
http://bugzilla.opensuse.org/show_bug.cgi?id=1204026
http://bugzilla.opensuse.org/show_bug.cgi?id=1204026#c9
--- Comment #9 from Bj�rn Lie
http://bugzilla.opensuse.org/show_bug.cgi?id=1204026
http://bugzilla.opensuse.org/show_bug.cgi?id=1204026#c10
Bj�rn Lie
participants (1)
-
bugzilla_noreply@suse.com