[Bug 1232244] New: AUDIT-0: xfce4-power-manager: New PolKit rules added
https://bugzilla.suse.com/show_bug.cgi?id=1232244 Bug ID: 1232244 Summary: AUDIT-0: xfce4-power-manager: New PolKit rules added Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: manfred.h@gmx.net QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- Created attachment 878186 --> https://bugzilla.suse.com/attachment.cgi?id=878186&action=edit Full build log xfce4-power-manager-4.19.3 has added polkit rules [ 43s] RPMLINT report: [ 43s] =============== [ 44s] xfce4-power-manager.x86_64: E: polkit-unauthorized-privilege (Badness: 10000) org.xfce.power.xfce4-pm-helper (auth_admin:auth_admin:yes) [ 44s] The package allows unprivileged users to carry out privileged operations [ 44s] without authentication. This could cause security problems if not done [ 44s] carefully. If the package is intended for inclusion in any SUSE product please [ 44s] open a bug report to request review of the package by the security team. [ 44s] Please refer to [ 44s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for [ 44s] more information. [ 44s] [ 44s] (none): E: badness 10000 exceeds threshold 1000, aborting. OBS repo: https://build.opensuse.org/package/show/home:manfred-h:X11:xfce:4.19/xfce4-p... -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232244 Manfred Hollstein <manfred.h@gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |manfred.h@gmx.net -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232244 https://bugzilla.suse.com/show_bug.cgi?id=1232244#c2 --- Comment #2 from Manfred Hollstein <manfred.h@gmx.net> --- (In reply to Matthias Gerstner from comment #1)
Thank you for creating the bug. Why is this still in your home project? You do plan to submit this to Factory, yes?
Yes, this will end up in Factory when XFCE 4.20 will be released. This package is part of the XFCE 4.19 series which will become 4.20 during the next weeks. I'll submit it to X11:xfce:4.19 next, which will replace X11:xfce after lots of testing. All packages will then be submitted to openSUSE:Factory. Hope this makes it clear!
The added Polkit action allows to execute the "xfce4-pm-helper" as root for locally logged in users. It's a small program but we still need to properly review it.
Great, thanks! -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232244 https://bugzilla.suse.com/show_bug.cgi?id=1232244#c6 --- Comment #6 from Manfred Hollstein <manfred.h@gmx.net> --- (In reply to Wolfgang Frisch from comment #5)
Submission underway: https://build.opensuse.org/requests/1223371
Thanks a lot again for your support! -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232244 https://bugzilla.suse.com/show_bug.cgi?id=1232244#c7 --- Comment #7 from OBSbugzilla Bot <bwiedemann+obsbugzillabot@suse.com> --- This is an autogenerated message for OBS integration: This bug (1232244) was mentioned in https://build.opensuse.org/request/show/1223372 Factory / polkit-default-privs -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232244 https://bugzilla.suse.com/show_bug.cgi?id=1232244#c10 Manfred Hollstein <manfred.h@gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(wolfgang.frisch@s | |use.com) Status|RESOLVED |REOPENED Resolution|FIXED |--- --- Comment #10 from Manfred Hollstein <manfred.h@gmx.net> --- What is the process if such requests for other distros? Will there be an update for e.g. openSUSE Leap 15.6? Without such an update xfce4-power-manager fails to build for 15.6 :-( FWIW, Xfce 4.20 has been released today, so I'd like to get the environment clarified for Leap 15.6, too ;-) -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232244 https://bugzilla.suse.com/show_bug.cgi?id=1232244#c13 --- Comment #13 from Manfred Hollstein <manfred.h@gmx.net> --- (In reply to Wolfgang Frisch from comment #11)
What is the process if such requests for other distros? Will there be an update for e.g. openSUSE Leap 15.6? Without such an update xfce4-power-manager fails to build for 15.6 :-( We maintain a branch of polkit-default-privs for Leap 15.6 [1]. The whitelisting process is basically the same, but only performed when a
(In reply to Manfred Hollstein from comment #10) maintainer requests it explicitly.
FWIW, Xfce 4.20 has been released today, so I'd like to get the environment clarified for Leap 15.6, too ;-)
I just backported the whitelisting to Leap [2]. It can take a few days until it's released. I hope this answers your question :)
[1] https://github.com/openSUSE/polkit-default-privs/tree/SLE-15-SP6 [2] https://github.com/openSUSE/polkit-default-privs/commit/ 01daf2cf810396256152ce35d9ada61711d699c5
Indeed, it answers my question! And thanks a lot for your help again! -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com