[Bug 1090647] New: AUDIT-0: openSUSE Leap 15.0 security audit
http://bugzilla.suse.com/show_bug.cgi?id=1090647 Bug ID: 1090647 Summary: AUDIT-0: openSUSE Leap 15.0 security audit Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.0 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: kbabioch@suse.com QA Contact: qa-bugs@suse.de CC: astieger@suse.com, lnussel@suse.com, security-team@suse.de Found By: Security Review Board Blocker: --- General security audit of openSUSE Leap 15.0 https://progress.opensuse.org/issues/24882 http://download.opensuse.org/distribution/leap/15.0/iso/openSUSE-Leap-15.0-D... http://download.opensuse.org/distribution/leap/15.0/repo/oss/ General: [ ] Install and perform lynis scan [ ] review for outstanding major security issues Defaults: [ ] running default services [ ] setuid and privileged friends Media and repositories: [ ] medias signed [ ] repository signed Sources: [ ] thrawl rpmlintrc for bypasses of rpmlint checks [ ] clamav scan of sources Development processes: [ ] verify package review process were adhered to [ ] verify standard development model was followed Updates: [ ] verify product can install maintenance updates -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1090647
Karol Babioch
http://bugzilla.suse.com/show_bug.cgi?id=1090647
http://bugzilla.suse.com/show_bug.cgi?id=1090647#c1
--- Comment #1 from Karol Babioch
http://bugzilla.suse.com/show_bug.cgi?id=1090647
http://bugzilla.suse.com/show_bug.cgi?id=1090647#c2
Karol Babioch
http://bugzilla.suse.com/show_bug.cgi?id=1090647
http://bugzilla.suse.com/show_bug.cgi?id=1090647#c3
--- Comment #3 from Karol Babioch
http://bugzilla.suse.com/show_bug.cgi?id=1090647
http://bugzilla.suse.com/show_bug.cgi?id=1090647#c4
Matthias Gerstner
http://bugzilla.suse.com/show_bug.cgi?id=1090647
http://bugzilla.suse.com/show_bug.cgi?id=1090647#c5
--- Comment #5 from Karol Babioch
http://bugzilla.suse.com/show_bug.cgi?id=1090647
http://bugzilla.suse.com/show_bug.cgi?id=1090647#c6
--- Comment #6 from Karol Babioch
http://bugzilla.suse.com/show_bug.cgi?id=1090647
http://bugzilla.suse.com/show_bug.cgi?id=1090647#c7
--- Comment #7 from Karol Babioch
http://bugzilla.suse.com/show_bug.cgi?id=1090647
http://bugzilla.suse.com/show_bug.cgi?id=1090647#c8
--- Comment #8 from Ludwig Nussel
The following findings resulted from this:
- /etc/machine-id is world-writeable which is probably not what was intended. The reason is found in the systemd spec file:
if [ $1 -eq 1 ]; then touch %{_sysconfdir}/machine-id chmod 666 %{_sysconfdir}/machine-id fi
- Each process started from within the KDE login inherits a couple of open UNIX domain socket file descriptors. Just open up a konsole and check ls -l /proc/self/fd. These descriptors are open for read/write. They seem to be connected to plasmashell process also running as the logged in user. So it hopefully doesn’t pose a security issue. Anyways, inheriting those file descriptors to arbitrary user processes does not look like a good idea. But probably it is some great KDE concept in action that we’re seeing here?
Please file bugs. Especially the systemd one needs to be fixed ASAP -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1090647
http://bugzilla.suse.com/show_bug.cgi?id=1090647#c9
--- Comment #9 from Ludwig Nussel
http://bugzilla.suse.com/show_bug.cgi?id=1090647
http://bugzilla.suse.com/show_bug.cgi?id=1090647#c10
--- Comment #10 from Karol Babioch
Please file bugs.
I've filed a bug for the machine-id issue: #1092269 Matthias will hopefully file a bug for the leaking file system descriptors today, since he knows some more details about it. (In reply to Ludwig Nussel from comment #9)
apart from that, ware we done?
No, not completely. We are still working on it. Sorry that this takes a while, there is only so much we can do each day ;). -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1090647
http://bugzilla.suse.com/show_bug.cgi?id=1090647#c11
--- Comment #11 from Karol Babioch
http://bugzilla.suse.com/show_bug.cgi?id=1090647
http://bugzilla.suse.com/show_bug.cgi?id=1090647#c12
--- Comment #12 from Karol Babioch
http://bugzilla.suse.com/show_bug.cgi?id=1090647
http://bugzilla.suse.com/show_bug.cgi?id=1090647#c14
--- Comment #14 from Ludwig Nussel
(In reply to Ludwig Nussel from comment #9)
apart from that, ware we done?
No, not completely. We are still working on it. Sorry that this takes a while, there is only so much we can do each day ;).
No pressure from my side. You guys will have to find ways to fix issues post release if there any after all :-) I'm just asking if I can close the redmine task that I have for release management tracking. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1090647
http://bugzilla.suse.com/show_bug.cgi?id=1090647#c15
--- Comment #15 from Matthias Gerstner
http://bugzilla.suse.com/show_bug.cgi?id=1090647
http://bugzilla.suse.com/show_bug.cgi?id=1090647#c16
--- Comment #16 from Karol Babioch
http://bugzilla.suse.com/show_bug.cgi?id=1090647
http://bugzilla.suse.com/show_bug.cgi?id=1090647#c17
--- Comment #17 from Karol Babioch
http://bugzilla.suse.com/show_bug.cgi?id=1090647
http://bugzilla.suse.com/show_bug.cgi?id=1090647#c18
--- Comment #18 from Karol Babioch
http://bugzilla.suse.com/show_bug.cgi?id=1090647
http://bugzilla.suse.com/show_bug.cgi?id=1090647#c19
--- Comment #19 from Karol Babioch
$RPM_SOURCE_DIR/%name-rpmlintrc kauth/kauth.spec:91:echo "setBadness('suse-dbus-unauthorized-service', 0)" > $RPM_SOURCE_DIR/%name-rpmlintrc kcm_sddm/.osc/kcm_sddm.spec:79: echo "setBadness('suse-dbus-unauthorized-service', 0)" > $RPM_SOURCE_DIR/%name-rpmlintrc kcm_sddm/kcm_sddm.spec:79: echo "setBadness('suse-dbus-unauthorized-service', 0)" > $RPM_SOURCE_DIR/%name-rpmlintrc kwalletmanager5/.osc/kwalletmanager5.spec:81:echo "setBadness('suse-dbus-unauthorized-service', 0)" > $RPM_SOURCE_DIR/%{name}-rpmlintrc kwalletmanager5/kwalletmanager5.spec:81:echo "setBadness('suse-dbus-unauthorized-service', 0)" > $RPM_SOURCE_DIR/%{name}-rpmlintrc
-- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1090647
http://bugzilla.suse.com/show_bug.cgi?id=1090647#c20
--- Comment #20 from Ludwig Nussel
http://bugzilla.suse.com/show_bug.cgi?id=1090647
http://bugzilla.suse.com/show_bug.cgi?id=1090647#c21
--- Comment #21 from Ludwig Nussel
http://bugzilla.suse.com/show_bug.cgi?id=1090647
http://bugzilla.suse.com/show_bug.cgi?id=1090647#c22
--- Comment #22 from Ludwig Nussel
http://bugzilla.suse.com/show_bug.cgi?id=1090647
http://bugzilla.suse.com/show_bug.cgi?id=1090647#c23
--- Comment #23 from Karol Babioch
http://bugzilla.suse.com/show_bug.cgi?id=1090647
http://bugzilla.suse.com/show_bug.cgi?id=1090647#c24
Fabian Vogt
http://bugzilla.suse.com/show_bug.cgi?id=1090647
http://bugzilla.suse.com/show_bug.cgi?id=1090647#c25
--- Comment #25 from Karol Babioch
http://bugzilla.suse.com/show_bug.cgi?id=1090647
http://bugzilla.suse.com/show_bug.cgi?id=1090647#c26
--- Comment #26 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1090647
http://bugzilla.suse.com/show_bug.cgi?id=1090647#c27
--- Comment #27 from Karol Babioch
http://bugzilla.suse.com/show_bug.cgi?id=1090647
http://bugzilla.suse.com/show_bug.cgi?id=1090647#c28
--- Comment #28 from Karol Babioch
http://bugzilla.suse.com/show_bug.cgi?id=1090647
http://bugzilla.suse.com/show_bug.cgi?id=1090647#c29
--- Comment #29 from Fabian Vogt
Another finding with setBadness() work-around: kdesu
https://build.opensuse.org/package/view_file/KDE:Frameworks5/kdesu/kdesu. spec?expand=1
Request to get rid: https://build.opensuse.org/request/show/607501
Well, that was not actually enabled: %if 0%{?suse_version} <= 1310 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1090647
http://bugzilla.suse.com/show_bug.cgi?id=1090647#c30
--- Comment #30 from Karol Babioch
http://bugzilla.suse.com/show_bug.cgi?id=1090647
http://bugzilla.suse.com/show_bug.cgi?id=1090647#c31
--- Comment #31 from Fabian Vogt
Nope, but still not necessary in Factory and Leap 15.0 any more (same as with previous findings).
Yes, but it's not necessary to have this change in Leap 15 to pass this audit - the submission deadline is closed. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1090647
http://bugzilla.suse.com/show_bug.cgi?id=1090647#c32
--- Comment #32 from Andreas Stieger
http://bugzilla.suse.com/show_bug.cgi?id=1090647
http://bugzilla.suse.com/show_bug.cgi?id=1090647#c33
Karol Babioch
participants (1)
-
bugzilla_noreply@novell.com