[Bug 1169614] New: AUDIT-0: cockpit: setuid, dbus, pam
http://bugzilla.opensuse.org/show_bug.cgi?id=1169614 Bug ID: 1169614 Summary: AUDIT-0: cockpit: setuid, dbus, pam Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: lnussel@suse.com QA Contact: security-team@suse.de CC: kkaempf@suse.com Found By: --- Blocker: --- For my package found in OBS in https://build.opensuse.org/package/show/systemsmanagement:cockpit/cockpit I would like a whitelisting for the following rpmlint error: [ 395s] cockpit-ws.x86_64: E: permissions-file-setuid-bit (Badness: 100) /usr/lib/cockpit-session is packaged with setuid/setgid bits (04750) [ 395s] If the package is intended for inclusion in any SUSE product [ 395s] please open a bug report to request review of the program by the [ 395s] security team. Please refer to [ 395s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for [ 395s] more information. [ 395s] [ 395s] cockpit-bridge.x86_64: E: polkit-untracked-privilege (Badness: 100) org.cockpit-project.cockpit.root-bridge (auth_admin:auth_admin:auth_admin) [ 395s] The privilege is not listed in /etc/polkit-default-privs.* which [ 395s] makes it harder for admins to find. Furthermore polkit [ 395s] authorization checks can easily introduce security issues. If the [ 395s] package is intended for inclusion in any SUSE product please open [ 395s] a bug report to request review of the package by the security team. [ 395s] Please refer to [ 395s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for [ 395s] more information. [ 395s] [ 395s] cockpit-ws.x86_64: E: suse-pam-unauthorized-module (Badness: 10) pam_cockpit_cert.so [ 395s] cockpit-ws.x86_64: E: suse-pam-unauthorized-module (Badness: 10) pam_ssh_add.so [ 395s] The package installs a PAM module. If the package is intended for [ 395s] inclusion in any SUSE product please open a bug report to request [ 395s] review of the service by the security team. Please refer to [ 395s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1169614 http://bugzilla.opensuse.org/show_bug.cgi?id=1169614#c1 --- Comment #1 from Ludwig Nussel <lnussel@suse.com> --- Upstream git: https://github.com/cockpit-project/cockpit/ Upstream Martin was in security for Ubuntu before so in case you find issues feel free to talk to him, you will find open ears there. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1169614 http://bugzilla.opensuse.org/show_bug.cgi?id=1169614#c25 --- Comment #25 from OBSbugzilla Bot <bwiedemann+obsbugzillabot@suse.com> --- This is an autogenerated message for OBS integration: This bug (1169614) was mentioned in https://build.opensuse.org/request/show/931965 15.3 / permissions -- You are receiving this mail because: You are on the CC list for the bug.
participants (2)
-
bugzilla_noreply@novell.com -
bugzilla_noreply@suse.com