[Bug 825262] New: Security Review requested due to suse-dbus-unauthorized-service, polkit-untracked-privilege and polkit-cant-acquire-privilege
https://bugzilla.novell.com/show_bug.cgi?id=825262 https://bugzilla.novell.com/show_bug.cgi?id=825262#c0 Summary: Security Review requested due to suse-dbus-unauthorized-service, polkit-untracked-privilege and polkit-cant-acquire-privilege Classification: openSUSE Product: openSUSE Factory Version: 13.1 Milestone 1 Platform: All OS/Version: SUSE Other Status: NEW Severity: Critical Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: tittiatcoke@gmail.com QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:22.0) Gecko/20100101 Firefox/22.0 The nepomuk libraries have been greatly enhanced with KDE 4.11 and contains now several utilities which can scan and index files. However as the new utilities are directly accessing the files, some additional requirements are required. Executing rpmlint on the package now indicates: [ 293s] nepomuk-core.x86_64: W: suse-dbus-unauthorized-service /usr/share/dbus-1/system-services/org.kde.nepomuk.filewatch.service [ 293s] nepomuk-core.x86_64: W: suse-dbus-unauthorized-service /etc/dbus-1/system.d/org.kde.nepomuk.filewatch.conf [ 293s] The package installs a DBUS system service file. If the package is intended [ 293s] for inclusion in any SUSE product please open a bug report to request review [ 293s] of the service by the security team. [ 293s] [ 293s] nepomuk-core.x86_64: I: polkit-untracked-privilege org.kde.nepomuk.filewatch.raiselimit (??:no:auth_admin_keep) [ 293s] The privilege is not listed in /etc/polkit-default-privs.* which makes it [ 293s] harder for admins to find. If the package is intended for inclusion in any [ 293s] SUSE product please open a bug report to request review of the package by the [ 293s] security team [ 293s] [ 293s] nepomuk-core.x86_64: I: polkit-cant-acquire-privilege org.kde.nepomuk.filewatch.raiselimit (??:no:auth_admin_keep) [ 293s] Usability can be improved by allowing users to acquire privileges via [ 293s] authentication. Use e.g. 'auth_admin' instead of 'no' and make sure to define [ 293s] 'allow_any'. This is an issue only if the privilege is not listed in /etc [ 293s] /polkit-default-privs.* Also here an rpmlintrc file is current in effect to enable the build of the depend packages. We would like to submit this to Factory as soon as possible Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=825262 https://bugzilla.novell.com/show_bug.cgi?id=825262#c Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com Summary|Security Review requested |AUDIT-0: nepomuk: Security |due to |Review requested due to |suse-dbus-unauthorized-serv |suse-dbus-unauthorized-serv |ice, |ice, |polkit-untracked-privilege |polkit-untracked-privilege |and |and |polkit-cant-acquire-privile |polkit-cant-acquire-privile |ge |ge -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=825262 https://bugzilla.novell.com/show_bug.cgi?id=825262#c1 Sebastian Krahmer <krahmer@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium Severity|Critical |Minor --- Comment #1 from Sebastian Krahmer <krahmer@suse.com> 2013-06-17 07:16:40 UTC --- adjusting severity -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=825262 https://bugzilla.novell.com/show_bug.cgi?id=825262#c2 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P3 - Medium |P2 - High Severity|Minor |Major --- Comment #2 from Marcus Meissner <meissner@suse.com> 2013-06-21 01:31:30 UTC --- dbus service review blocks kde submission, so raise priority (i think minor was not intended) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=825262 https://bugzilla.novell.com/show_bug.cgi?id=825262#c3 --- Comment #3 from Thomas Biege <thomas@suse.com> 2013-06-27 10:27:43 CEST --- If there is a deadline for us... tell us please. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=825262 https://bugzilla.novell.com/show_bug.cgi?id=825262#c4 --- Comment #4 from Raymond Wooninck <tittiatcoke@gmail.com> 2013-06-27 10:50:11 UTC --- At this moment the review of nepomuk-core and kdebase4-workspace are holding back the submission of KDE 4.11 Beta 1 (and future releases) to Factory. Due to this we wouldn't really be able to fix any KDE issues in Factory either as that the development repository has already been switched to KDE 4.11 Beta 1. By the end of this week, we will upload Beta 2 into the development repository. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=825262 https://bugzilla.novell.com/show_bug.cgi?id=825262#c5 --- Comment #5 from Raymond Wooninck <tittiatcoke@gmail.com> 2013-07-01 07:52:31 UTC --- Any update on this bug request ? As indicated we have Beta 2 now in KDF, but still not able to submit it to Factory. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=825262 https://bugzilla.novell.com/show_bug.cgi?id=825262#c6 --- Comment #6 from Marcus Meissner <meissner@suse.com> 2013-07-03 16:19:49 UTC --- our main auditor (Sebastian) has different duties this month and also vacation. :/ I will see what we can do -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=825262 https://bugzilla.novell.com/show_bug.cgi?id=825262#c7 --- Comment #7 from Bernhard Wiedemann <bwiedemann@suse.com> 2013-07-03 22:00:15 CEST --- This is an autogenerated message for OBS integration: This bug (825262) was mentioned in https://build.opensuse.org/request/show/181931 Factory / nepomuk-core -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=825262 https://bugzilla.novell.com/show_bug.cgi?id=825262#c8 --- Comment #8 from Thomas Biege <thomas@suse.com> 2013-07-04 09:09:11 CEST --- (In reply to comment #5)
Any update on this bug request ? As indicated we have Beta 2 now in KDF, but still not able to submit it to Factory.
Just go ahead, green light from us at the moment. We will review it and if it causes trouble we will let you know. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=825262 https://bugzilla.novell.com/show_bug.cgi?id=825262#c Alexander Bergmann <abergmann@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |abergmann@suse.com AssignedTo|security-team@suse.de |abergmann@suse.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=825262 https://bugzilla.novell.com/show_bug.cgi?id=825262#c9 --- Comment #9 from Marcus Meissner <meissner@suse.com> 2013-07-04 07:39:32 UTC --- (temporary whitelisted in rpmlint/config) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=825262 https://bugzilla.novell.com/show_bug.cgi?id=825262#c10 --- Comment #10 from Bernhard Wiedemann <bwiedemann@suse.com> 2013-07-04 10:00:16 CEST --- This is an autogenerated message for OBS integration: This bug (825262) was mentioned in https://build.opensuse.org/request/show/182129 Factory / rpmlint -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=825262 https://bugzilla.novell.com/show_bug.cgi?id=825262#c11 --- Comment #11 from Alexander Bergmann <abergmann@suse.com> 2013-07-08 16:18:52 UTC --- We have two parts here that need to be evaluated. 1. New dbus service "org.kde.nepomuk.filewatch". 2. New PolicyKit rule "org.kde.nepomuk.filewatch.raiselimit" 1. A new dbus system service is introduced with nepomuk-core. This system service allows the execution of kde_nepomuk_filewatch_raiselimit that is also part of nepomuk-core. Inside the FileWatchHelper::raiselimit function inside raiselimit.cpp it doubles the value in /proc/sys/fs/inotify/max_user_watches and sets/replaces this value in /etc/sysctl.d/97-kde-nepomuk-filewatch-inotify.conf to be reboot persistent. 2. The PolicyKit is used to have an upstruction layer between the user session and the FileWatchHelper::raiselimit function. An unprivileged user account can therefore gain the privilege to raise the max_user_watches for the system. For this the user has to authenticate as admin (root). org.kde.nepomuk.filewatch.raiselimit no:no:auth_admin_keep All functions are programmed straight forward. So there is no security impact. Therefore the changes in polkit-default-privs and rpmlint can be marked as valid and can be set permanently. polkit-default-privs.changes: - track nepomuk rights (bnc#825262) rpmlint.changes: - allow nepomuk helpers temporary without full audit (bnc#825262) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=825262 https://bugzilla.novell.com/show_bug.cgi?id=825262#c12 Alexander Bergmann <abergmann@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|abergmann@suse.com |meissner@suse.com --- Comment #12 from Alexander Bergmann <abergmann@suse.com> 2013-07-11 07:09:44 UTC --- Marcus, the comment in polkit-default-privs is already final good. We just have to change the "temporary" comment in rpmlint. After that this AUDIT-0 bug can be closed. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=825262 https://bugzilla.novell.com/show_bug.cgi?id=825262#c13 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #13 from Marcus Meissner <meissner@suse.com> 2013-11-05 09:23:53 UTC --- done i think -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com