[Bug 849739] New: AUDIT-0: kwalletmanager: Security Review requested due to suse-dbus-unauthorized-service, polkit-untracked-privilege and polkit-cant-acquire-privilege
https://bugzilla.novell.com/show_bug.cgi?id=849739 https://bugzilla.novell.com/show_bug.cgi?id=849739#c0 Summary: AUDIT-0: kwalletmanager: Security Review requested due to suse-dbus-unauthorized-service, polkit-untracked-privilege and polkit-cant-acquire-privilege Classification: openSUSE Product: openSUSE Factory Version: 13.2 Milestone 0 Platform: Other OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: hrvoje.senjan@gmail.com QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36 SUSE/31.0.1650.48 Due to changes in kwalletmanager for KDE's 4.12 release, we're requesting whitelisting the following: kwalletmanager.i586: E: suse-dbus-unauthorized-service (Badness: 100) /usr/share/dbus-1/system-services/org.kde.kcontrol.kcmkwallet.service kwalletmanager.i586: E: suse-dbus-unauthorized-service (Badness: 100) /etc/dbus-1/system.d/org.kde.kcontrol.kcmkwallet.conf The package installs a DBUS system service file. If the package is intended for inclusion in any SUSE product please open a bug report to request review of the service by the security team. kwalletmanager.i586: E: polkit-unauthorized-privilege (Badness: 100) org.kde.kcontrol.kcmkwallet.save (??:no:auth_self_keep) The package allows unprivileged users to carry out privileged operations without authentication. This could cause security problems if not done carefully. If the package is intended for inclusion in any SUSE product please open a bug report to request review of the package by the security team kwalletmanager.i586: I: polkit-cant-acquire-privilege org.kde.kcontrol.kcmkwallet.save (??:no:auth_self_keep) Usability can be improved by allowing users to acquire privileges via authentication. Use e.g. 'auth_admin' instead of 'no' and make sure to define 'allow_any'. This is an issue only if the privilege is not listed in /etc /polkit-default-privs.* Changes are introduced with this commit: http://quickgit.kde.org/?p=kwallet.git&a=commit&h=717f925b77f13c54e92ecd81ea92487f933a1915 Reproducible: Always -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=849739
https://bugzilla.novell.com/show_bug.cgi?id=849739#c1
Sebastian Krahmer
From my understanding a wallet is something that should run in the user session, therefore a DBUS session bus?!
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=849739
https://bugzilla.novell.com/show_bug.cgi?id=849739#c2
--- Comment #2 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=849739
https://bugzilla.novell.com/show_bug.cgi?id=849739#c3
--- Comment #3 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=849739
https://bugzilla.novell.com/show_bug.cgi?id=849739#c4
Hrvoje Senjan
Can you paste the org.kde.kcontrol.kcmkwallet.conf that you want to use? It seems not to be part of the kwallet git.
/etc/dbus-1/system.d/org.kde.kcontrol.kcmkwallet.conf <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> <busconfig> <!-- Only user root can own the foo helper --> <policy user="root"> <allow own="org.kde.kcontrol.kcmkwallet"/> </policy> </busconfig> /usr/share/dbus-1/system-services/org.kde.kcontrol.kcmkwallet.service [D-BUS Service] Name=org.kde.kcontrol.kcmkwallet Exec=/usr/lib64/kde4/libexec/kcm_kwallet_helper User=root -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=849739
https://bugzilla.novell.com/show_bug.cgi?id=849739#c5
--- Comment #5 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=849739
https://bugzilla.novell.com/show_bug.cgi?id=849739#c6
Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=849739
https://bugzilla.novell.com/show_bug.cgi?id=849739#c7
--- Comment #7 from Hrvoje Senjan
done
Hm, we still have: [ 43s] kwalletmanager.x86_64: E: suse-dbus-unauthorized-service (Badness: 10000) /usr/share/dbus-1/system-services/org.kde.kcontrol.kcmkwallet.service [ 43s] kwalletmanager.x86_64: E: suse-dbus-unauthorized-service (Badness: 10000) /etc/dbus-1/system.d/org.kde.kcontrol.kcmkwallet.conf Rpmlint not yet submitted? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=849739
https://bugzilla.novell.com/show_bug.cgi?id=849739#c8
--- Comment #8 from Raymond Wooninck
https://bugzilla.novell.com/show_bug.cgi?id=849739
https://bugzilla.novell.com/show_bug.cgi?id=849739#c9
--- Comment #9 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=849739
https://bugzilla.novell.com/show_bug.cgi?id=849739#c11
--- Comment #11 from Bernhard Wiedemann
http://bugzilla.novell.com/show_bug.cgi?id=849739
Nina Kuckländer
participants (1)
-
bugzilla_noreply@novell.com