[Bug 779404] New: polkit-untracked-privilege and polkit-unauthorized-privilege warnings for new udisks
https://bugzilla.novell.com/show_bug.cgi?id=779404 https://bugzilla.novell.com/show_bug.cgi?id=779404#c0 Summary: polkit-untracked-privilege and polkit-unauthorized-privilege warnings for new udisks Classification: openSUSE Product: openSUSE 12.2 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: GNOME AssignedTo: lnussel@suse.com ReportedBy: vuntz@suse.com QAContact: qa-bugs@suse.de CC: dimstar@opensuse.org Found By: --- Blocker: --- New udisks2 (1.99.0) has these warnings that will block it from entering Factory: polkit-untracked-privilege org.freedesktop.udisks2.modify-drive-settings (auth_admin:auth_admin:auth_admin_keep) polkit-untracked-privilege org.freedesktop.udisks2.ata-smart-simulate (auth_admin:auth_admin:auth_admin_keep) polkit-untracked-privilege org.freedesktop.udisks2.ata-standby-system (auth_admin:auth_admin:auth_admin_keep) polkit-untracked-privilege org.freedesktop.udisks2.ata-standby-other-seat (auth_admin:auth_admin:auth_admin_keep) polkit-untracked-privilege org.freedesktop.udisks2.ata-secure-erase (auth_admin:auth_admin:auth_admin_keep) polkit-untracked-privilege org.freedesktop.udisks2.cancel-job-other-user (auth_admin:auth_admin:auth_admin_keep) polkit-unauthorized-privilege (Badness: 100) org.freedesktop.udisks2.rescan (auth_admin:auth_admin:yes) polkit-unauthorized-privilege (Badness: 100) org.freedesktop.udisks2.ata-check-power (auth_admin:auth_admin:yes) polkit-unauthorized-privilege (Badness: 100) org.freedesktop.udisks2.ata-standby (auth_admin:auth_admin:yes) polkit-unauthorized-privilege (Badness: 100) org.freedesktop.udisks2.cancel-job (auth_admin:auth_admin:yes) The upstream commits for those can be found at http://cgit.freedesktop.org/udisks/log/data/org.freedesktop.udisks2.policy.i... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=779404 https://bugzilla.novell.com/show_bug.cgi?id=779404#c1 Vincent Untz <vuntz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Component|GNOME |GNOME Version|Final |Factory Product|openSUSE 12.2 |openSUSE 12.3 --- Comment #1 from Vincent Untz <vuntz@suse.com> 2012-09-08 12:41:21 UTC --- (Oops, this is for 12.3) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=779404 https://bugzilla.novell.com/show_bug.cgi?id=779404#c2 Vincent Untz <vuntz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Component|GNOME |GNOME Version|Factory |12.3 Milestone 0 Product|openSUSE 12.3 |openSUSE Factory --- Comment #2 from Vincent Untz <vuntz@suse.com> 2012-09-13 06:39:27 UTC --- Sorry for the noise, mass-moving GNOME bugs from openSUSE 12.3 product to the new openSUSE Factory product. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=779404 https://bugzilla.novell.com/show_bug.cgi?id=779404#c Ludwig Nussel <lnussel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|lnussel@suse.com |security-team@suse.de -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=779404 https://bugzilla.novell.com/show_bug.cgi?id=779404#c3 Andreas Jaeger <aj@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |aj@suse.com --- Comment #3 from Andreas Jaeger <aj@suse.com> 2012-10-10 10:06:31 UTC --- Security team, how can we move forward to get this package into Factory? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=779404 https://bugzilla.novell.com/show_bug.cgi?id=779404#c4 --- Comment #4 from Dominique Leuenberger <dimstar@opensuse.org> 2012-10-20 13:22:33 UTC --- ping ? This is really a blocker for GNOME 3.6 entering completely Factory -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=779404 https://bugzilla.novell.com/show_bug.cgi?id=779404#c Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|polkit-untracked-privilege |AUDIT-0: udisks2: |and |polkit-untracked-privilege |polkit-unauthorized-privile |and |ge warnings for new udisks |polkit-unauthorized-privile | |ge warnings for new udisks -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=779404 https://bugzilla.novell.com/show_bug.cgi?id=779404#c Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P2 - High Severity|Normal |Major -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=779404 https://bugzilla.novell.com/show_bug.cgi?id=779404#c5 --- Comment #5 from Marcus Meissner <meissner@suse.com> 2012-10-23 11:28:32 UTC --- polkit-unauthorized-privilege (Badness: 100) org.freedesktop.udisks2.rescan (auth_admin:auth_admin:yes) polkit-unauthorized-privilege (Badness: 100) org.freedesktop.udisks2.ata-check-power (auth_admin:auth_admin:yes) polkit-unauthorized-privilege (Badness: 100) org.freedesktop.udisks2.ata-standby (auth_admin:auth_admin:yes) polkit-unauthorized-privilege (Badness: 100) org.freedesktop.udisks2.cancel-job (auth_admin:auth_admin:yes) these are the ones where needed for the desktop user and that we should review first. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=779404 https://bugzilla.novell.com/show_bug.cgi?id=779404#c6 --- Comment #6 from Sebastian Krahmer <krahmer@suse.com> 2012-10-23 13:49:24 UTC --- Looking at the particular code handling these above 4 action-id's, I dont have big pain. Except "org.freedesktop.udisks2.ata-standby" maybe, because even if a disk is not tagged as system, it might be in use by root owned processes (maybe even udisk itself), so its questionable whether users must be able to force disks to stand-by (todays extern HDD's should do that themself anyway if theres no traffic, no?). As a rule of thumb we should give as less authorizations as possible. Everything that we dont grant (and seems not really necessary) cant break our neck later. But, from my point of view: go ahead. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=779404 https://bugzilla.novell.com/show_bug.cgi?id=779404#c8 --- Comment #8 from Bernhard Wiedemann <bwiedemann@suse.com> 2012-10-24 11:00:08 CEST --- This is an autogenerated message for OBS integration: This bug (779404) was mentioned in https://build.opensuse.org/request/show/139158 Factory / polkit-default-privs -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=779404 https://bugzilla.novell.com/show_bug.cgi?id=779404#c9 --- Comment #9 from Sebastian Krahmer <krahmer@suse.com> 2012-10-24 11:13:08 UTC --- So, this bug can probably be closed then? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=779404 https://bugzilla.novell.com/show_bug.cgi?id=779404#c Sebastian Krahmer <krahmer@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |vuntz@suse.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=779404 https://bugzilla.novell.com/show_bug.cgi?id=779404#c10 Vincent Untz <vuntz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |vuntz@suse.com --- Comment #10 from Vincent Untz <vuntz@suse.com> 2012-10-24 11:35:20 UTC --- The change in https://build.opensuse.org/request/show/139158 adds auth_admin:auth_admin:auth_admin_keep for all actions -- not sure this is what is intended. If yes, then we can close the bug (and hope it doesn't result in spammy polkit dialogs). If no, then, well, we should fix polkit-default-privs :-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=779404 https://bugzilla.novell.com/show_bug.cgi?id=779404#c11 Vincent Untz <vuntz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|vuntz@suse.com | --- Comment #11 from Vincent Untz <vuntz@suse.com> 2012-10-24 11:36:53 UTC --- (forgot to remove NEEDINFO from me) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=779404 https://bugzilla.novell.com/show_bug.cgi?id=779404#c12 --- Comment #12 from Sebastian Krahmer <krahmer@suse.com> 2012-10-24 11:43:44 UTC --- For the first 6 action id's that should be OK, as it is what was requested. For the next 4 action id's I dont know; from my side: the stricter the better; but they can also be relaxed as written in comment#6. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=779404 https://bugzilla.novell.com/show_bug.cgi?id=779404#c13 --- Comment #13 from Vincent Untz <vuntz@suse.com> 2012-10-24 11:59:10 UTC --- Dominique: do you know, by any chance, when those actions are used? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=779404 https://bugzilla.novell.com/show_bug.cgi?id=779404#c14 --- Comment #14 from Dominique Leuenberger <dimstar@opensuse.org> 2012-11-15 21:07:48 UTC --- org.freedesktop.udisks2.rescan /* Translators: Shown in authentication dialog when an application * wants to rescan a device. * * Do not translate $(drive), it's a placeholder and will * be replaced by the name of the drive/device in question */ message = N_("Authentication is required to rescan $(drive)"); action_id = "org.freedesktop.udisks2.rescan"; org.freedesktop.udisks2.ata-check-power /* Translators: Shown in authentication dialog when the user * requests the power state of a drive. * * Do not translate $(drive), it's a placeholder and * will be replaced by the name of the drive/device in question */ message = N_("Authentication is required to check power state for $(drive)"); action_id = "org.freedesktop.udisks2.ata-check-power"; org.freedesktop.udisks2.ata-standby /* Translators: Shown in authentication dialog when the user * tries to put a drive into standby mode. * * Do not translate $(drive), it's a placeholder and * will be replaced by the name of the drive/device in question */ message = N_("Authentication is required to put $(drive) in standby mode"); action_id = "org.freedesktop.udisks2.ata-standby"; org.freedesktop.udisks2.cancel-job /* Translators: Shown in authentication dialog when canceling a job. */ message = N_("Authentication is required to cancel a job"); action_id = "org.freedesktop.udisks2.cancel-job"; -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
From where I stand, I think this can be closed: we do have this version of udisks in Factory for a rather long time and there are no weird polkit
https://bugzilla.novell.com/show_bug.cgi?id=779404 https://bugzilla.novell.com/show_bug.cgi?id=779404#c15 Dominique Leuenberger <dimstar@opensuse.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #15 from Dominique Leuenberger <dimstar@opensuse.org> 2013-01-16 20:13:04 UTC --- dialogs... so we seem not to be too restrictive :) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com