https://bugzilla.novell.com/show_bug.cgi?id=295341 Ludwig Nussel changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|PolicyKit: please add |AUDIT-0: PolicyKit: please add setguid polkit- |setguid polkit-grant-helper |grant-helper (polkituser) to /etc/permissions.* |(polkituser) to | |/etc/permissions.* | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=295341#c2 --- Comment #2 from Kay Sievers 2007-07-30 08:07:31 MST --- PolicyKit checked into BETA. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=295341#c4 --- Comment #4 from Marcus Meissner 2007-07-31 00:29:55 MST --- Overnight it also gained a setuid root pam helper binary for unknown reasons. we need to audit that one too. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=295341#c5 Kay Sievers changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|AUDIT-0: PolicyKit: please |AUDIT-0: PolicyKit: please add set(g/u)id |add setguid polkit-grant- |polkit-grant-helpers (polkituser, root) to |helper (polkituser) to |/etc/permissions.* |/etc/permissions.* | --- Comment #5 from Kay Sievers 2007-07-31 03:33:56 MST --- The whole PAM conversation to authenticate as the own user or as root has been split out to its own 200 lines helper, which doesn't have any other dependency. For us at least, it needs root privileges to be able to read /etc/shadow or NIS passwords. Other distros, not using PAM, would like to use replace that part with their own binary here doing the authentication chat. /work/SRC/BETA/all/PolicyKit has been updated to the latest version. Thanks! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=295341#c7 --- Comment #7 from Kay Sievers 2007-08-03 08:05:00 MST --- Yes, it is all about the invoked setgid binary, which creates the "auth cookie", which is read by the system-service. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=295341#c10 --- Comment #10 from Sebastian Krahmer 2007-08-07 03:36:21 MST --- The code itself does not look problematic. However I do not like that all the suids/sgids are linked against blown libs such as libdbus or glib and its dependencies. This will cause trouble sooner or later. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=295341#c12 --- Comment #12 from Kay Sievers 2007-08-08 03:54:38 MST --- The separate setuid root binary exists only for the reason not to link these libraries while running as root and using pam. It is only the setgid polkituser binary which links dbus and glib, and that isn't trivial to change. ldd /usr/lib64/PolicyKit/polkit-grant-helper-pam libpam.so.0 => /lib64/libpam.so.0 (0x00002b213f159000) libc.so.6 => /lib64/libc.so.6 (0x00002b213f365000) libaudit.so.0 => /lib64/libaudit.so.0 (0x00002b213f6a9000) libdl.so.2 => /lib64/libdl.so.2 (0x00002b213f8be000) /lib64/ld-linux-x86-64.so.2 (0x0000555555554000) ldd /usr/lib64/PolicyKit/polkit-grant-helper libpolkit.so.1 => /usr/lib64/libpolkit.so.1 (0x00002b3bce363000) libpolkit-dbus.so.1 => /usr/lib64/libpolkit-dbus.so.1 (0x00002b3bce56f000) libdbus-1.so.3 => /lib64/libdbus-1.so.3 (0x00002b3bce774000) libglib-2.0.so.0 => /usr/lib64/libglib-2.0.so.0 (0x00002b3bce9ad000) libc.so.6 => /lib64/libc.so.6 (0x00002b3bcec74000) libexpat.so.1 => /lib64/libexpat.so.1 (0x00002b3bcefb8000) /lib64/ld-linux-x86-64.so.2 (0x0000555555554000) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=295341#c14 --- Comment #14 from Kay Sievers 2007-08-08 04:10:44 MST --- It is the alternative to the current polkit daemon running as root using dbus, using glib and pam, and talking to users. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=295341#c16 Andreas Jaeger changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |aj@novell.com Status|ASSIGNED |NEEDINFO Info Provider| |lnussel@novell.com --- Comment #16 from Andreas Jaeger 2007-08-11 02:44:07 MST --- PolicyKit does not build with the new permissions file: Running chkstat with permissions and permissions.secure found the following differences: /usr/lib/PolicyKit/polkit-grant-helper-pam from RPMS/i586/PolicyKit-0.4-7.i586.rpm /usr/lib/PolicyKit/polkit-grant-helper-pam should be root:root 0755. (wrong permissions 4755) Ludwig, can you investigate, please? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=295341 User kasievers@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=295341#c18 Kay Sievers changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Component|Security |Security Product|openSUSE 10.3 |openSUSE 11.0 Resolution|FIXED | Summary|AUDIT-0: PolicyKit: please add set(g/u)id |AUDIT-0: PolicyKit: please add set(g/u)id |polkit-grant-helpers (polkituser, root) to |polkit-* helpers to /etc/permissions.* |/etc/permissions.* | Version|Alpha 6 |unspecified --- Comment #18 from Kay Sievers 2007-12-20 09:14:38 MST --- Please update permissions for PolicyKit 0.7, which has the following programs: %attr(2755,root,polkituser) %{_libexecdir}/polkit-set-default-helper %attr(2755,root,polkituser) %{_libexecdir}/polkit-read-auth-helper %attr(2755,root,polkituser) %{_libexecdir}/polkit-revoke-helper %attr(2755,root,polkituser) %{_libexecdir}/polkit-explicit-grant-helper %attr(2755,root,polkituser) %{_libexecdir}/polkit-grant-helper %attr(4750,root,polkituser) %{_libexecdir}/polkit-grant-helper-pam Other packages depend on the updated version, would be nice if that could be done in time. Thanks! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=295341 User kasievers@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=295341#c19 --- Comment #19 from Kay Sievers 2008-01-02 06:11:06 MST --- Package copied to STABLE. Please update permissions. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=295341 Sebastian Krahmer changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |krahmer@novell.com AssignedTo|security-team@suse.de |krahmer@novell.com Status|NEW |ASSIGNED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=295341 User meissner@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=295341#c23 --- Comment #23 from Marcus Meissner 2008-01-14 02:32:58 MST --- no, westernhagen does not have it currently. (I also have no latest STABLE updates currently.) Perhaps time to update ;) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=295341 User krahmer@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=295341#c25 --- Comment #25 from Sebastian Krahmer 2008-01-14 06:23:34 MST --- polkit-set-default-helper: since its setgid, files created are owned by calling user, thus file-content in /usr/local/lib/PolicyKit-public/ can be changed afterwards at any time; if thats not a problem. So, the only reason why this needs 02755 is that it is able to move files to this directory?? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=295341 User aj@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=295341#c27 --- Comment #27 from Andreas Jaeger 2008-01-15 00:52:23 MST --- /usr/local/lib/PolicyKit-public/ looks wrong as well - it should not install in /usr/local at all. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=295341 User jpr@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=295341#c29 JP Rosevear changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|Normal |Blocker --- Comment #29 from JP Rosevear 2008-03-06 12:41:59 MST --- We have the powermanagement stuff as well as PackageKit, powermanagement, pulse audo and storage mounting all using policykit now. The command line tools throw errors now and refuse to give info. This also allows users not to do all or nothing with things like pluggable usb devices. Given that, I don't think we can ship 11.0 without this change. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=295341 User meissner@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=295341#c31 --- Comment #31 from Marcus Meissner 2008-03-10 10:30:28 MST --- hal mounting of removable devices works fine, without those additional setgid bits too. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=295341 User meissner@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=295341#c33 --- Comment #33 from Marcus Meissner 2008-03-10 10:51:40 MST --- ah,. org.gnome.PolicyKit starts the /usr/lib64/PolicyKit-gnome/polkit-gnome-manager, while org.freedesktop.PolicyKit is something else. confusing at best. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=295341 User meissner@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=295341#c35 --- Comment #35 from Marcus Meissner 2008-03-10 11:25:04 MST --- To dispel more FUD, powersave does not need the GRANT mechanisms for all regular cases, except multisession shutdown/reboot. And neither does regular removable storage mounting, as said previously. However there are cases that need it, including PackageKit. So I will discuss this further tomorrow and try to see a solution. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=295341 User lnussel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=295341#c37 Ludwig Nussel changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #37 from Ludwig Nussel 2008-03-12 05:03:43 MST --- Will do. Could you please change the %_libexecdir to %_prefix/lib please? Having to specify all binaries twice sucks. There are bugs open to change the macro in rpm but it looks like it's intentionally broken.. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=295341 User kasievers@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=295341#c39 Kay Sievers changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #39 from Kay Sievers 2008-03-12 12:34:29 MST --- Submitted. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=295341 User kasievers@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=295341#c41 Kay Sievers changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|Blocker |Major Status|RESOLVED |REOPENED Resolution|FIXED | Version|Alpha 2 |Factory --- Comment #41 from Kay Sievers 2008-04-09 19:02:48 MST --- New version submitted: /work/src/done/STABLE/PolicyKit/ Please add: %{_prefix}/lib/PolicyKit/polkit-resolve-exe-helper as: %attr(4755,root,polkituser) Thanks! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=295341 User meissner@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=295341#c42 --- Comment #42 from Marcus Meissner 2008-04-10 03:10:16 MST --- what is this new helper used for? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=295341 User kasievers@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=295341#c44 Kay Sievers changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|Major |Blocker --- Comment #44 from Kay Sievers 2008-04-24 12:44:18 MST --- Please update the permissions, some things are not working as expected now. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=295341 User kasievers@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=295341#c46 Kay Sievers changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|Enhancement |Blocker --- Comment #46 from Kay Sievers 2008-04-24 13:22:58 MST --- You can not mount volumes which require authorization to mount them. This is a very real problem. There are probably other authorizations failing too. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=295341 User kasievers@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=295341#c48 --- Comment #48 from Kay Sievers 2008-04-24 13:41:47 MST --- Yes, it is. Mounting built-in drives does not work. Anyway, regardless of this specific bug, PolicyKit is broken without proper permissions. $ rpm -q PolicyKit PolicyKit-0.7.git20080410-3 chmod u-s /usr/lib/PolicyKit/polkit-resolve-exe-helper makes it working as expected HAL log: polkit-resolve-exe-helper: cannot do setuid(0): Operation not permitted polkit-resolve-exe-helper: cannot do setuid(0): Operation not permitted polkit-resolve-exe-helper: cannot do setuid(0): Operation not permitted polkit-resolve-exe-helper: cannot do setuid(0): Operation not permitted 21:37:32.258 [I] device.c:1894: Removing locks from ':1.7908' pid 32199: rc=1 signaled=0: /usr/lib64/hal/hal-storage-mount 21:37:32.259 [I] hald_dbus.c:4042: No more methods in queue 21:37:32.259 [I] hald_dbus.c:4105: failed with 'org.freedesktop.Hal.Device.PermissionDeniedByPolicy' -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=295341 User thomas@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=295341#c49 Thomas Biege changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|security-team@suse.de |thomas@novell.com Status|NEW |ASSIGNED --- Comment #49 from Thomas Biege 2008-04-28 07:12:29 MST --- Will have a look... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=295341 User kasievers@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=295341#c55 Kay Sievers changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|kasievers@novell.com |security-team@suse.de --- Comment #55 from Kay Sievers 2008-04-29 19:42:19 MST --- All callers pass a static size, large enough for the common case. The return value of readlink() is checked, and the call fails if it is truncated. I can see nothing which would immediately need to be fixed. The upstream author is informed, and will change it according to the suggestions, and we will get the changes with the next version update. Thanks! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=295341 Stephan Kulow changed: What |Removed |Added ---------------------------------------------------------------------------- Flag| |SHIP_STOPPER+ -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=295341 User lnussel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=295341#c58 --- Comment #58 from Ludwig Nussel 2008-05-21 07:20:34 MST --- The policykit source code documentation for polkit_sysdeps_get_exe_for_pid() clearly states that containts based on the calling program's name cannot be relied upon as firstly they can be easily circumvented by the user himself and secondly don't work for interpreted languages. Therefore those exe name constaints are no security feature, just annoyance. The feature should be patched away instead of adding a setuid binary that cannot fix it's shortcomings anyways. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=295341 User thomas@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=295341#c60 Thomas Biege changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW Info Provider|meissner@novell.com | --- Comment #60 from Thomas Biege 2008-05-27 00:25:54 MDT --- The helper's code is "ok" but what about comment #58? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=295341 User coolo@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=295341#c62 Stephan Kulow changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |kasievers@novell.com --- Comment #62 from Stephan Kulow 2008-05-27 05:51:20 MDT --- Kay, is this working for you? We need a decision asap if we go with PolicyKit or permissions ;( -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=295341 User kasievers@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=295341#c65 --- Comment #65 from Kay Sievers 2008-05-27 08:38:16 MDT --- SUSE also does not patch upstream software, because someone does not like a feature, for no good reasons. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=295341 User thomas@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=295341#c66 --- Comment #66 from Thomas Biege 2008-05-27 08:40:10 MDT --- The authorization scheme seems to be broken by design, it would not help adding a suid bit. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=295341 User zeuthen@gmail.com added comment https://bugzilla.novell.com/show_bug.cgi?id=295341#c68 David Zeuthen changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |zeuthen@gmail.com --- Comment #68 from David Zeuthen 2008-05-27 11:15:34 MDT --- (In reply to comment #58 from Ludwig Nussel)

The policykit source code documentation for polkit_sysdeps_get_exe_for_pid() clearly states that containts based on the calling program's name cannot be relied upon as firstly they can be easily circumvented by the user himself and secondly don't work for interpreted languages.

It does however work for secure programs. (In reply to comment #66)

The authorization scheme seems to be broken by design, it would not help adding a suid bit.

I'm not sure what to make of this comment. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=295341 User kasievers@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=295341#c70 Kay Sievers changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW Info Provider|kasievers@novell.com | --- Comment #70 from Kay Sievers 2008-05-28 01:37:17 MDT --- Fixed disks are different from removable disks, because one could be able to access the secure data from other operating systems on a multi-boot box. Therefore, mounting fixed disks have their own policy, and require the root password. And it works fine. Please stop this, it is so pointless. The "exe" check is an additional check, add not any "security feature", does not harm anything, and does not need "fixing" in any sense. And again, get involved in upstream development, discuss the stuff there, if you want to influence what Linux is doing today. Otherwise please stop wasting my/our time. I will refuse any of these patches, which makes SUSE different from all other distros. I will just assign package maintenance to the one who will apply it, and not care anymore. I'm so tired of these useless "discussions" which never lead to anything in the past. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=295341 User coolo@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=295341#c73 Stephan Kulow changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX --- Comment #73 from Stephan Kulow 2008-06-02 03:40:49 MDT --- ok, after having another discussion with Marcus and Ludwig, I finally agree that leaving out this feature for 11.0 is the right thing to do. And for the future, we might reconsider if it's not wiser to patch it out of PolicyKit. I would still recommend someone of our security team join the policykit upstream mailing list and discuss future developments there. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=295341 User zeuthen@gmail.com added comment https://bugzilla.novell.com/show_bug.cgi?id=295341#c75 --- Comment #75 from David Zeuthen 2008-06-05 16:35:57 MDT --- (In reply to comment #73 from Stephan Kulow)

I would still recommend someone of our security team join the policykit upstream mailing list and discuss future developments there.

That would be nice.

ok, after having another discussion with Marcus and Ludwig, I finally agree that leaving out this feature for 11.0 is the right thing to do. And for the future, we might reconsider if it's not wiser to patch it out of PolicyKit.

As upstream for PolicyKit, this is unacceptable. I jumped into your downstream bugzilla to help clear the confusion. I spent a lot of time explaining to you guys how this works in comment 71. You could at the very least explain why you are crippling upstream sources. Don't expect me to care about SUSE PolicyKit bugs in the future if this continues. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=295341 User kasievers@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=295341#c77 --- Comment #77 from Kay Sievers 2008-06-06 01:05:53 MDT --- Sure, do we need it. I can not mount my fixed disk partitions, and maybe other things that are not part of the default install. That you don't need that, does in no way say others don't need it. PolicyKit is generic infrastructure, and you decided to ship a willfully broken version, for absolutely not valid reason. It's the equivalent of removing random functions from a shared library, because your system seems to run without them. Nice job! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=295341 User kasievers@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=295341#c79 --- Comment #79 from Kay Sievers 2008-06-06 01:43:00 MDT --- So how many bytes did you save here? The job of a distribution is to provide a working system and working infrastructure for people to build stuff on top. You decided that openSUSE does want to do both of them. Really, what's needed to get a clue? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.