http://bugzilla.suse.com/show_bug.cgi?id=1125438 http://bugzilla.suse.com/show_bug.cgi?id=1125438#c1 Franck Bui changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS CC| |fbui@suse.com --- Comment #1 from Franck Bui --- (In reply to Matthias Gerstner from comment #0)

As explained in bug 1125314 we are currently reviewing all rules files installed in /usr/share/polkit-1/rules.d. systemd installs the file /usr/share/polkit-1/rules.d/systemd-networkd.rules.

This file allows the user 'systemd-network' to perform any of the following polkit actions without password entry:

- org.freedesktop.hostname1.set-hostname - org.freedesktop.timedate1.set-timezone

Since this file does not start with a suitable number prefix it is currently ineffective, because our polkit-default-privs take precedence.

Indeed.

Can you tell in which context this systemd-network user requires these actions?

It's used by systemd-networkd in case hostname is received from the DHCP server. Similarly the timezone can be received from the DHCP server and if user explicitly allowed it, see man systemd.network.

Which process is running as this user?

Service "systemd-networkd" is run as this user.

I couldn't find any in my running Tumbleweed installation.

By default systemd-networkd is not enabled (wicked is the default network manager).

It could be that some feature is broken due to this rules file not being effective. We should review the security implications and either rename this file to something like '20-systemd-networkd.rules' and then whitelist it. Or if it is not strictly needed we should remove or move the file to /usr/share/doc as an example file.

I think we should rename the polkit rule file as systemd-networkd might need to set hostname/timezone as described above. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1125438 http://bugzilla.suse.com/show_bug.cgi?id=1125438#c3 --- Comment #3 from Franck Bui --- So the plan is to whitelist networkd accesses in the default polkit rule file ? Or should systemd-networkd.rules be renamed so it takes precedence over the default rules ? The downside of the former is that we can easily miss new method access. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1125438 http://bugzilla.suse.com/show_bug.cgi?id=1125438#c5 --- Comment #5 from Franck Bui --- Ok I see, let me know when I should rename the rule file, thanks. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1125438 http://bugzilla.suse.com/show_bug.cgi?id=1125438#c7 --- Comment #7 from Franck Bui --- Matthias, FYI, the rule files has been renamed, see https://build.opensuse.org/package/rdiff/Base:System/systemd?linkrev=base&rev=1057 -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1125438 http://bugzilla.suse.com/show_bug.cgi?id=1125438#c9 Matthias Gerstner changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED --- Comment #9 from Matthias Gerstner --- The new rpmlint-check is active by now in Factory and generates a warning for files in rules.d directories not yet whitelisted. Since everything should be in place I've whitelisted this systemd rules file and it is on its way to Factory via sr#685391. Please note that the new whitelisting mechanism is quite strict and also verifies the file's content. This means if the content changes we will need a follow-up review. This should conclude this bug. If you have an issues, simply reopen. Thank you for your help in implementing this. -- You are receiving this mail because: You are on the CC list for the bug.