http://bugzilla.opensuse.org/show_bug.cgi?id=1133082 Bug ID: 1133082 Summary: Base:System/fwupd: updating build to 1.2.7 needs new polkit privileges Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: maurizio.galli@gmail.com QA Contact: qa-bugs@suse.de CC: glin@suse.com Found By: --- Blocker: --- Created attachment 803402 --> http://bugzilla.opensuse.org/attachment.cgi?id=803402&action=edit fwupd 1.2.7 build log Updating fwupd build to current 1.2.7 needs attention of security team. [ 158s] RPMLINT report: [ 158s] =============== [ 167s] fwupd.x86_64: I: polkit-cant-acquire-privilege org.freedesktop.fwupd.device-activate (auth_admin:no:auth_admin_keep) [ 167s] fwupd.x86_64: I: polkit-cant-acquire-privilege org.freedesktop.fwupd.self-sign (auth_admin:no:auth_admin_keep) [ 167s] fwupd.x86_64: I: polkit-cant-acquire-privilege org.freedesktop.fwupd.set-approved-firmware (auth_admin:no:auth_admin_keep) [ 167s] Usability can be improved by allowing users to acquire privileges via [ 167s] authentication. Use e.g. 'auth_admin' instead of 'no' and make sure to define [ 167s] 'allow_any'. This is an issue only if the privilege is not listed in [ 167s] /etc/polkit-default-privs.* [ 167s] [ 167s] fwupd.x86_64: W: files-duplicate /etc/pki/fwupd/GPG-KEY-Linux-Vendor-Firmware-Service /etc/pki/fwupd-metadata/GPG-KEY-Linux-Vendor-Firmware-Service [ 167s] fwupd.x86_64: W: files-duplicate /etc/pki/fwupd/LVFS-CA.pem /etc/pki/fwupd-metadata/LVFS-CA.pem [ 167s] fwupd.x86_64: W: non-conffile-in-etc /etc/dbus-1/system.d/org.freedesktop.fwupd.conf [ 167s] fwupd.x86_64: W: non-conffile-in-etc /etc/pki/fwupd-metadata/GPG-KEY-Linux-Foundation-Metadata [ 167s] fwupd.x86_64: W: non-conffile-in-etc /etc/pki/fwupd-metadata/GPG-KEY-Linux-Vendor-Firmware-Service [ 167s] fwupd.x86_64: W: non-conffile-in-etc /etc/pki/fwupd-metadata/LVFS-CA.pem [ 167s] fwupd.x86_64: W: non-conffile-in-etc /etc/pki/fwupd/GPG-KEY-Hughski-Limited [ 167s] fwupd.x86_64: W: non-conffile-in-etc /etc/pki/fwupd/GPG-KEY-Linux-Foundation-Firmware [ 167s] fwupd.x86_64: W: non-conffile-in-etc /etc/pki/fwupd/GPG-KEY-Linux-Vendor-Firmware-Service [ 167s] fwupd.x86_64: W: non-conffile-in-etc /etc/pki/fwupd/LVFS-CA.pem [ 167s] A non-executable file in your package is being installed in /etc, but is not a [ 167s] configuration file. All non-executable files in /etc should be configuration [ 167s] files. Mark the file as %config in the spec file. [ 167s] [ 167s] fwupd.x86_64: W: obsolete-not-provided fwupdate [ 167s] If a package is obsoleted by a compatible replacement, the obsoleted package [ 167s] should also be provided in order to not cause unnecessary dependency breakage. [ 167s] If the obsoleting package is not a compatible replacement for the old one, [ 167s] leave out the Provides. [ 167s] [ 167s] fwupd.x86_64: W: pem-certificate /etc/pki/fwupd-metadata/LVFS-CA.pem [ 167s] fwupd.x86_64: W: pem-certificate /etc/pki/fwupd/LVFS-CA.pem [ 167s] Shipping a PEM certificate is likely wrong. If used for the default [ 167s] configuration, this is insecure ( since the certificate is public ). If this [ 167s] is used for validation, ie a CA certificate store, then this must be kept up [ 167s] to date due to CA compromise. The only valid reason is for testing purpose, so [ 167s] ignore this warning if this is the case. [ 167s] [ 167s] fwupd.x86_64: W: polkit-unauthorized-rules /usr/share/polkit-1/rules.d/org.freedesktop.fwupd.rules [ 167s] A polkit rules file installed by this package is not whitelisted in the [ 167s] polkit-whitelisting package. If the package is intended for inclusion in any [ 167s] SUSE product please open a bug report to request review of the package by the [ 167s] security team. Please refer to [ 167s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for [ 167s] more information. [ 167s] [ 167s] fwupd.x86_64: E: polkit-untracked-privilege (Badness: 10000) org.freedesktop.fwupd.device-activate (auth_admin:no:auth_admin_keep) [ 167s] fwupd.x86_64: E: polkit-untracked-privilege (Badness: 10000) org.freedesktop.fwupd.self-sign (auth_admin:no:auth_admin_keep) [ 167s] fwupd.x86_64: E: polkit-untracked-privilege (Badness: 10000) org.freedesktop.fwupd.set-approved-firmware (auth_admin:no:auth_admin_keep) [ 167s] The privilege is not listed in /etc/polkit-default-privs.* which makes it [ 167s] harder for admins to find. Furthermore polkit authorization checks can easily [ 167s] introduce security issues. If the package is intended for inclusion in any [ 167s] SUSE product please open a bug report to request review of the package by the [ 167s] security team. Please refer to [ 167s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for [ 167s] more information. [ 167s] [ 167s] (none): E: badness 30000 exceeds threshold 1000, aborting. [ 167s] 7 packages and 0 specfiles checked; 3 errors, 14 warnings. [ 167s] [ 167s] [ 167s] lamb16 failed "build fwupd.spec" at Mon Apr 22 16:11:43 UTC 2019. Reference OBS: https://build.opensuse.org/package/show/home:mauriziogalli:branches:Base:Sys... Full Build log attached. -- You are receiving this mail because: You are on the CC list for the bug.