[Bug 1125438] New: AUDIT-0: systemd: status of /usr/share/polkit-1/rules.d/systemd-networkd.rules
http://bugzilla.suse.com/show_bug.cgi?id=1125438 Bug ID: 1125438 Summary: AUDIT-0: systemd: status of /usr/share/polkit-1/rules.d/systemd-networkd.rules Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: systemd-maintainers@suse.de Reporter: matthias.gerstner@suse.com QA Contact: qa-bugs@suse.de CC: security-team@suse.de Found By: --- Blocker: --- As explained in bug 1125314 we are currently reviewing all rules files installed in /usr/share/polkit-1/rules.d. systemd installs the file /usr/share/polkit-1/rules.d/systemd-networkd.rules. This file allows the user 'systemd-network' to perform any of the following polkit actions without password entry: - org.freedesktop.hostname1.set-hostname - org.freedesktop.timedate1.set-timezone Since this file does not start with a suitable number prefix it is currently ineffective, because our polkit-default-privs take precedence. Can you tell in which context this systemd-network user requires these actions? Which process is running as this user? I couldn't find any in my running Tumbleweed installation. It could be that some feature is broken due to this rules file not being effective. We should review the security implications and either rename this file to something like '20-systemd-networkd.rules' and then whitelist it. Or if it is not strictly needed we should remove or move the file to /usr/share/doc as an example file. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1125438
Matthias Gerstner
http://bugzilla.suse.com/show_bug.cgi?id=1125438
http://bugzilla.suse.com/show_bug.cgi?id=1125438#c1
Franck Bui
As explained in bug 1125314 we are currently reviewing all rules files installed in /usr/share/polkit-1/rules.d. systemd installs the file /usr/share/polkit-1/rules.d/systemd-networkd.rules.
This file allows the user 'systemd-network' to perform any of the following polkit actions without password entry:
- org.freedesktop.hostname1.set-hostname - org.freedesktop.timedate1.set-timezone
Since this file does not start with a suitable number prefix it is currently ineffective, because our polkit-default-privs take precedence.
Indeed.
Can you tell in which context this systemd-network user requires these actions?
It's used by systemd-networkd in case hostname is received from the DHCP server. Similarly the timezone can be received from the DHCP server and if user explicitly allowed it, see man systemd.network.
Which process is running as this user?
Service "systemd-networkd" is run as this user.
I couldn't find any in my running Tumbleweed installation.
By default systemd-networkd is not enabled (wicked is the default network manager).
It could be that some feature is broken due to this rules file not being effective. We should review the security implications and either rename this file to something like '20-systemd-networkd.rules' and then whitelist it. Or if it is not strictly needed we should remove or move the file to /usr/share/doc as an example file.
I think we should rename the polkit rule file as systemd-networkd might need to set hostname/timezone as described above. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1125438
http://bugzilla.suse.com/show_bug.cgi?id=1125438#c2
Matthias Gerstner
http://bugzilla.suse.com/show_bug.cgi?id=1125438
http://bugzilla.suse.com/show_bug.cgi?id=1125438#c3
--- Comment #3 from Franck Bui
http://bugzilla.suse.com/show_bug.cgi?id=1125438
http://bugzilla.suse.com/show_bug.cgi?id=1125438#c4
--- Comment #4 from Matthias Gerstner
So the plan is to whitelist networkd accesses in the default polkit rule file ?
I am about to introduce a new type of whitelisting for these rules files. It will be independent of the current polkit-default-privs.
Or should systemd-networkd.rules be renamed so it takes precedence over the default rules ?
We will do both, rename the file so it takes precedence and this new name will have to be whitelisted so you don't get any rpmlint errors in the future. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1125438
http://bugzilla.suse.com/show_bug.cgi?id=1125438#c5
--- Comment #5 from Franck Bui
http://bugzilla.suse.com/show_bug.cgi?id=1125438
http://bugzilla.suse.com/show_bug.cgi?id=1125438#c6
--- Comment #6 from Matthias Gerstner
http://bugzilla.suse.com/show_bug.cgi?id=1125438
http://bugzilla.suse.com/show_bug.cgi?id=1125438#c7
--- Comment #7 from Franck Bui
http://bugzilla.suse.com/show_bug.cgi?id=1125438
http://bugzilla.suse.com/show_bug.cgi?id=1125438#c8
--- Comment #8 from Matthias Gerstner
FYI, the rule files has been renamed
Thank you, I will add it to the whitelisting mechanism once everything has made it to Factory. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1125438
http://bugzilla.suse.com/show_bug.cgi?id=1125438#c9
Matthias Gerstner
http://bugzilla.suse.com/show_bug.cgi?id=1125438
http://bugzilla.suse.com/show_bug.cgi?id=1125438#c10
--- Comment #10 from Swamp Workflow Management
participants (1)
-
bugzilla_noreply@novell.com