[Bug 704997] New: Users can hibernate system as non-root
https://bugzilla.novell.com/show_bug.cgi?id=704997 https://bugzilla.novell.com/show_bug.cgi?id=704997#c0 Summary: Users can hibernate system as non-root Classification: openSUSE Product: openSUSE 12.1 Version: Factory Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: KDE4 Workspace AssignedTo: kde-maintainers@suse.de ReportedBy: houghi@houghi.org QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20100101 Firefox/5.0 When in YaST the Boot Settings in Security Center is set to Root as shutdown behavior, Shut down and Restart require a root password to actually reboot or shut down. This is the expected behavior. However hibernate can still be done as user. This causes problems with multi-user systems as any user could make the system unavailable. Reproducible: Always Steps to Reproduce: 1. Yast, Security and Users, Security Center and Hardening, Boot settings 2. Set 'Shutdown Behavior of KDM Login Manager' to root. 3. Reboot first to make the setting stick 4. Log in as user 5. Instead of shutdown, select hibernate. Actual Results: System will be offline in hibernate mode. Expected Results: The root password should be asked before the system can be taken offline. Not sure if this is a KDE or YaST issue. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=704997 https://bugzilla.novell.com/show_bug.cgi?id=704997#c1 Christian Trippe <ctrippe@opensuse.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ctrippe@opensuse.org Component|KDE4 Workspace |YaST2 AssignedTo|kde-maintainers@suse.de |bnc-team-screening@forge.pr | |ovo.novell.com QAContact|qa@suse.de |jsrain@novell.com --- Comment #1 from Christian Trippe <ctrippe@opensuse.org> 2011-08-07 19:40:57 UTC --- I would guess this belongs to YaST -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=704997 https://bugzilla.novell.com/show_bug.cgi?id=704997#c zj jia <zjjia@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |zjjia@novell.com AssignedTo|bnc-team-screening@forge.pr |yast2-maintainers@suse.de |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=704997 https://bugzilla.novell.com/show_bug.cgi?id=704997#c2 Thomas Fehr <fehr@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|yast2-maintainers@suse.de |jsuchome@novell.com --- Comment #2 from Thomas Fehr <fehr@novell.com> 2011-08-09 09:46:39 UTC --- Reassigned to maintainer of yast2-security -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=704997 https://bugzilla.novell.com/show_bug.cgi?id=704997#c3 Jiří Suchomel <jsuchome@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |lnussel@novell.com --- Comment #3 from Jiří Suchomel <jsuchome@novell.com> 2011-08-09 12:12:24 UTC --- Ludwig, do you know if this could be configured by some general settings (so it could be in YaST) or is it desktop specific? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=704997 https://bugzilla.novell.com/show_bug.cgi?id=704997#c4 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW CC| |lnussel@novell.com InfoProvider|lnussel@novell.com | --- Comment #4 from Ludwig Nussel <lnussel@novell.com> 2011-08-22 11:10:30 CEST --- I suppose you need to set org.freedesktop.upower.hibernate to auth_admin. That should be desktop neutral. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=704997 https://bugzilla.novell.com/show_bug.cgi?id=704997#c5 Jiří Suchomel <jsuchome@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |lnussel@suse.com --- Comment #5 from Jiří Suchomel <jsuchome@suse.com> 2011-08-26 13:40:12 UTC --- Which package does contain this rule? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=704997 https://bugzilla.novell.com/show_bug.cgi?id=704997#c6 Ludwig Nussel <lnussel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|lnussel@suse.com | --- Comment #6 from Ludwig Nussel <lnussel@suse.com> 2011-08-26 15:54:07 CEST --- upower but that doesn't help you much. The easiest way probably is to write the setting to /etc/polkit-default-privs.local and call set_polkit_default_privs. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=704997 https://bugzilla.novell.com/show_bug.cgi?id=704997#c7 Jiří Suchomel <jsuchome@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |lnussel@suse.com --- Comment #7 from Jiří Suchomel <jsuchome@suse.com> 2011-08-29 13:31:58 UTC --- (In reply to comment #4)
I suppose you need to set org.freedesktop.upower.hibernate to auth_admin. That should be desktop neutral.
Setting auth_admin value when? This means, root, authentication is required before the action, right? Shouldn't it be default behavior? And what should YaST offer as alternatives? Shouldn't it be similar/same as DISPLAYMANAGER_SHUTDOWN handling, as mentioned in the report? And I do not mean only 'similar/same' in YaST, but also in system: should we have sysconfig value for one action (shutdown) and handle polkit permission for another one? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=704997 https://bugzilla.novell.com/show_bug.cgi?id=704997#c8 Ludwig Nussel <lnussel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|lnussel@suse.com | --- Comment #8 from Ludwig Nussel <lnussel@suse.com> 2011-08-29 16:17:15 CEST --- (In reply to comment #7)
(In reply to comment #4)
I suppose you need to set org.freedesktop.upower.hibernate to auth_admin. That should be desktop neutral.
Setting auth_admin value when? This means, root, authentication is required before the action, right? Shouldn't it be default behavior?
The default is to allow the user on the active console to hibernate, suspend and shutdown. Users not on the active console or remote logins have to authenticate as root (auth_admin:auth_admin:yes).
And what should YaST offer as alternatives?
Sensible choices are probably auth_admin:auth_admin:auth_admin (=> require authentication always) yes:yes:yes (=> allow anyone to perform the action) auth_admin:auth_admin:yes (=> user on the acive console is allowed)
Shouldn't it be similar/same as DISPLAYMANAGER_SHUTDOWN handling, as mentioned in the report? And I do not mean only 'similar/same' in YaST, but also in system: should we have sysconfig value for one action (shutdown) and handle polkit permission for another one?
The sysconfig value only exists for legacy reasons. It should be removed and only polkit actions be used IMO. That requires kdm to support polkit though. Alternatively don't allow to configure individual polkit settings at all but only allow to switch the profile (standard vs restrictive). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=704997 https://bugzilla.novell.com/show_bug.cgi?id=704997#c9 --- Comment #9 from hou ghi <houghi@houghi.org> 2011-08-29 18:45:05 UTC --- (In reply to comment #8)
I suppose you need to set org.freedesktop.upower.hibernate to auth_admin. That should be desktop neutral.
That would be best, because then GDM, XDM and others should also follow the rules. (In reply to comment #8)
Sensible choices are probably
auth_admin:auth_admin:auth_admin (=> require authentication always) yes:yes:yes (=> allow anyone to perform the action) auth_admin:auth_admin:yes (=> user on the acive console is allowed)
The last as default would be preferred as it is only in certain situations where this will be unwanted.
The sysconfig value only exists for legacy reasons. It should be removed and only polkit actions be used IMO. That requires kdm to support polkit though.
Alternatively don't allow to configure individual polkit settings at all but only allow to switch the profile (standard vs restrictive).
As long as it is easy to find and settings are consistent, from a opensuse-user point it does not matter. YaST would be great. If it is in Security and Users or in the /etc/sysconfig Editor does not matter. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=704997 https://bugzilla.novell.com/show_bug.cgi?id=704997#c Jiří Suchomel <jsuchome@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=704997 https://bugzilla.novell.com/show_bug.cgi?id=704997#c10 Jiří Suchomel <jsuchome@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |lnussel@suse.com --- Comment #10 from Jiří Suchomel <jsuchome@suse.com> 2011-09-14 06:50:09 UTC ---
Sensible choices are probably
auth_admin:auth_admin:auth_admin (=> require authentication always) yes:yes:yes (=> allow anyone to perform the action) auth_admin:auth_admin:yes (=> user on the acive console is allowed)
Thanks. How do I read current state of org.freedesktop.upower.hibernate? Is there some polkit command for it? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=704997 https://bugzilla.novell.com/show_bug.cgi?id=704997#c11 --- Comment #11 from Jiří Suchomel <jsuchome@suse.com> 2011-09-15 07:33:11 UTC --- (In reply to comment #10)
How do I read current state of org.freedesktop.upower.hibernate? Is there some polkit command for it?
Or, is /etc/polkit-default-privs.local the only place that stores this value? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=704997 https://bugzilla.novell.com/show_bug.cgi?id=704997#c12 Ludwig Nussel <lnussel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|lnussel@suse.com | --- Comment #12 from Ludwig Nussel <lnussel@suse.com> 2011-09-16 10:02:16 CEST --- There is no command AFAIK. It's not that simple anyways. see man pklocalauthority :-/ The polkit-default-privs mechanism just provides the distro default. An admin could reconfigure polkit manually in any creative way. That's next to impossible to manage in a tool I guess. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=704997 https://bugzilla.novell.com/show_bug.cgi?id=704997#c13 Jiří Suchomel <jsuchome@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |lnussel@suse.com --- Comment #13 from Jiří Suchomel <jsuchome@suse.com> 2011-09-16 08:11:56 UTC --- So is it fine if YaST just reads/writes /etc/polkit-default-privs.local ? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=704997 https://bugzilla.novell.com/show_bug.cgi?id=704997#c14 Ludwig Nussel <lnussel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|lnussel@suse.com | --- Comment #14 from Ludwig Nussel <lnussel@suse.com> 2011-09-16 10:31:20 CEST --- IMHO yes. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=704997 https://bugzilla.novell.com/show_bug.cgi?id=704997#c15 Jiří Suchomel <jsuchome@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #15 from Jiří Suchomel <jsuchome@suse.com> 2011-09-16 08:40:57 UTC --- OK, done in yast2-security-2.21.3 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=704997 https://bugzilla.novell.com/show_bug.cgi?id=704997#c16 --- Comment #16 from Bernhard Wiedemann <bwiedemann@suse.com> 2011-09-16 11:00:09 CEST --- This is an autogenerated message for OBS integration: This bug (704997) was mentioned in https://build.opensuse.org/request/show/82297 Factory / yast2-security -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=704997 https://bugzilla.novell.com/show_bug.cgi?id=704997#c17 --- Comment #17 from Bernhard Wiedemann <bwiedemann@suse.com> 2011-09-19 16:00:09 CEST --- This is an autogenerated message for OBS integration: This bug (704997) was mentioned in https://build.opensuse.org/request/show/83567 Factory / yast2-security -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com