[Bug 650401] New: GNOME Power Manager: Wants root access to change laptop brightness
https://bugzilla.novell.com/show_bug.cgi?id=650401 https://bugzilla.novell.com/show_bug.cgi?id=650401#c0 Summary: GNOME Power Manager: Wants root access to change laptop brightness Classification: openSUSE Product: openSUSE 11.4 Version: Factory Platform: x86-64 OS/Version: SuSE Other Status: NEW Severity: Normal Priority: P5 - None Component: GNOME AssignedTo: bnc-team-gnome@forge.provo.novell.com ReportedBy: r.seete@gmail.com QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit/534.7+ (KHTML, like Gecko) Version/5.0 Safari/534.7+ SUSE/11.4 (2.30.6-4.1) Epiphany/2.30.6 GNOME opens an authentication window for an action that should not require root access (changing brightness on a laptop). Reproducible: Always Steps to Reproduce: 1. Log in to GNOME desktop 2. Attempt to change laptop screen brightness 3. Actual Results: Brightness changes, but a window opens claiming: "Authentication is required to modify the laptop brightness" Command: /usr/sbin/gnome-power-backlight-helper --set-brightness xx Run As: Super User (root) Action: org.gnome.power.backlight-helper Vendor: GNOME Power Manager Expected Results: Change brightness without invoking a policykit authentication window. In an install of M2 (updated to recent factory) the window is persistent. Using a recent GNOME Live CD (build 826), the window quickly flashes on screen and then closes. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=650401 https://bugzilla.novell.com/show_bug.cgi?id=650401#c1 Vincent Untz <vuntz@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |vuntz@novell.com Component|GNOME |Basesystem AssignedTo|bnc-team-gnome@forge.provo. |lnussel@novell.com |novell.com | Summary|GNOME Power Manager: Wants |polkit-default-privs: g-p-m |root access to change |wants root access to change |laptop brightness |laptop brightness --- Comment #1 from Vincent Untz <vuntz@novell.com> 2010-11-19 17:24:02 UTC --- That's really a bug in polkit-default-privs: # gnome-power-manager org.gnome.power.backlight-helper auth_admin It should not be auth_admin, but something like auth_admin:auth_admin:yes. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=650401 https://bugzilla.novell.com/show_bug.cgi?id=650401#c Gabriel Burt <gburt@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |655063 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=650401 https://bugzilla.novell.com/show_bug.cgi?id=650401#c2 Gabriel Burt <gburt@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |gburt@novell.com --- Comment #2 from Gabriel Burt <gburt@novell.com> 2010-11-19 20:56:35 UTC --- I see this too, but I noticed the brightness changes anyway (before or even if I don't auth); I filed bug #655063 for that. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=650401 https://bugzilla.novell.com/show_bug.cgi?id=650401#c3 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|lnussel@novell.com |security-team@suse.de Summary|polkit-default-privs: g-p-m |AUDIT-0: |wants root access to change |polkit-default-privs: g-p-m |laptop brightness |wants root access to change | |laptop brightness --- Comment #3 from Ludwig Nussel <lnussel@novell.com> 2010-11-22 08:00:15 CET --- needs review -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=650401 https://bugzilla.novell.com/show_bug.cgi?id=650401#c4 JP Rosevear <jpr@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |terje@nordland-teknikk.no --- Comment #4 from JP Rosevear <jpr@novell.com> 2010-12-31 21:44:23 UTC --- *** Bug 661488 has been marked as a duplicate of this bug. *** http://bugzilla.novell.com/show_bug.cgi?id=661488 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=650401 https://bugzilla.novell.com/show_bug.cgi?id=650401#c5 --- Comment #5 from JP Rosevear <jpr@novell.com> 2010-12-31 21:45:49 UTC --- I also have the problem, rather annoying when testing and poor user experience. Suggest this become a P1 (must fix for release). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=650401 https://bugzilla.novell.com/show_bug.cgi?id=650401#c6 Herman Oosthuysen <herman@aeronetworks.ca> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |herman@aeronetworks.ca --- Comment #6 from Herman Oosthuysen <herman@aeronetworks.ca> 2011-01-26 02:46:53 UTC --- I also see it and the same thing happens when you change the hard disk spin down time in the Gnome power savings mode with Gconf. It causes a pop-up at boot time. It is probably all related, so I don't want to open a new bug report for this one. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=650401 https://bugzilla.novell.com/show_bug.cgi?id=650401#c7 --- Comment #7 from Herman Oosthuysen <herman@aeronetworks.ca> 2011-01-26 04:17:26 UTC --- (In reply to comment #6)
I also see it and the same thing happens when you change the hard disk spin down time in the Gnome power savings mode with Gconf. It causes a pop-up at boot time. It is probably all related, so I don't want to open a new bug report for this one.
Bah - I also get two more pop-ups when I try to connect to a WiFi access point with the network manager thingy. This is a really annoying user experience. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=650401 https://bugzilla.novell.com/show_bug.cgi?id=650401#c8 --- Comment #8 from Herman Oosthuysen <herman@aeronetworks.ca> 2011-01-26 07:27:16 UTC --- OK, here is my crude workaround. It may grant more privileges than an ordinary mortal may need. I created file /etc/polkit-default-privs.local: # # Note that you need to run /sbin/set_polkit_default_privs for # changes to take effect. # # Format: # <privilege> <any>:<inactive>:<active> # org.freedesktop.network-manager-settings.system.modify yes org.freedesktop.network-manager-settings.system.hostname.modify yes org.freedesktop.network-manager-settings.system.wifi.share.protected yes org.freedesktop.network-manager-settings.system.wifi.share.open yes org.freedesktop.NetworkManager.enable-disable-network yes org.freedesktop.NetworkManager.enable-disable-wifi yes org.freedesktop.NetworkManager.enable-disable-wwan yes org.freedesktop.NetworkManager.use-user-connections yes org.freedesktop.NetworkManager.network-control yes org.freedesktop.NetworkManager.sleep-wake yes org.freedesktop.hal.power-management.shutdown yes org.freedesktop.hal.power-management.shutdown-multiple-sessions yes org.freedesktop.hal.power-management.reboot yes org.freedesktop.hal.power-management.reboot-multiple-sessions yes org.freedesktop.hal.power-management.set-powersave yes org.freedesktop.hal.power-management.suspend yes org.freedesktop.hal.power-management.hibernate yes org.freedesktop.hal.power-management.standby yes org.freedesktop.hal.power-management.cpufreq yes org.freedesktop.hal.power-management.lcd-panel yes org.freedesktop.hal.power-management.light-sensor yes org.freedesktop.hal.power-management.keyboard-backlight yes org.freedesktop.hal.dockstation.undock yes org.freedesktop.hal.leds.brightness yes org.freedesktop.udisks.drive-set-spindown yes org.freedesktop.upower.suspend yes org.freedesktop.upower.hibernate yes -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=650401 https://bugzilla.novell.com/show_bug.cgi?id=650401#c9 --- Comment #9 from Ludwig Nussel <lnussel@novell.com> 2011-01-26 08:44:31 CET --- please file separate bugs for privileges of separate programs. We need to review each program individually. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=650401 https://bugzilla.novell.com/show_bug.cgi?id=650401#c10 --- Comment #10 from Ludwig Nussel <lnussel@novell.com> 2011-01-26 13:42:30 CET --- why is the helper binary called via pkexec? That's just like setuid root. It would be better to have a dbus service instead. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=650401 https://bugzilla.novell.com/show_bug.cgi?id=650401#c11 --- Comment #11 from Vincent Untz <vuntz@novell.com> 2011-01-26 13:04:50 UTC --- (In reply to comment #10)
why is the helper binary called via pkexec? That's just like setuid root. It would be better to have a dbus service instead.
Asking upstream: it was mostly to avoid some unneeded overhead. Note that /usr/share/polkit-1/actions/org.gnome.power.policy explicitly configures the policy to apply only to this binary with pkexec. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=650401 https://bugzilla.novell.com/show_bug.cgi?id=650401#c12 --- Comment #12 from Ludwig Nussel <lnussel@novell.com> 2011-01-26 14:50:11 CET --- (In reply to comment #11)
Note that /usr/share/polkit-1/actions/org.gnome.power.policy explicitly configures the policy to apply only to this binary with pkexec.
Sure. Calling the helper binary via pkexec with a default policy that allows it however is almost equivalent to making the helper setuid root itself. That's why I hesitate to set the privilege to 'yes' without real audit. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=650401 https://bugzilla.novell.com/show_bug.cgi?id=650401#c13 --- Comment #13 from Vincent Untz <vuntz@novell.com> 2011-01-26 15:29:04 UTC --- I think I'm missing something. What's the difference with a dbus-based polkit service, that would run as root too? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=650401 https://bugzilla.novell.com/show_bug.cgi?id=650401#c14 --- Comment #14 from Ludwig Nussel <lnussel@novell.com> 2011-01-26 16:42:25 CET --- yes but that way it doesn't inherit the user's environment (env, fds, cwd, limits etc) iow less attack surface. Anyways, I've set the privilege to 'yes' for 11.4. The audit should be done nevertheless at some point. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=650401 https://bugzilla.novell.com/show_bug.cgi?id=650401#c15 --- Comment #15 from Sebastian Krahmer <krahmer@novell.com> 2011-02-02 12:53:36 UTC ---
From my view it would be OK to make gpm-backlight-helper and xfpm-backlight-helper accessable via pkexec. Its actually the same code which just writes some values to /sys files. I am not happy that privilged programs are linked against a lot of Glib and dbus related libraries though.
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=650401 https://bugzilla.novell.com/show_bug.cgi?id=650401#c16 --- Comment #16 from Vincent Untz <vuntz@novell.com> 2011-02-17 09:57:44 UTC --- (In reply to comment #15)
From my view it would be OK to make gpm-backlight-helper and xfpm-backlight-helper accessable via pkexec. Its actually the same code which just writes some values to /sys files.
Does that mean we can close the bug? :-)
I am not happy that privilged programs are linked against a lot of Glib and dbus related libraries though.
Unfortunately, with polkit, this is not going to change; on the contrary, it'll be more frequent, I think. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=650401 https://bugzilla.novell.com/show_bug.cgi?id=650401#c17 Rainer Hurtado Navarro <publio.escipion.el.africano@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |publio.escipion.el.africano | |@gmail.com Resolution| |FIXED --- Comment #17 from Rainer Hurtado Navarro <publio.escipion.el.africano@gmail.com> 2011-02-20 20:40:03 UTC --- "This has been fixed in 11.4-RC1." "(changed during the 2011-02-20 Open-Bugs-Day about bugs for obsolete versions of openSUSE)" dom feb 20 20:37:56 UTC 2011 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com