[Bug 798885] New: The latest update for PackageKit installs polkit files in order to enable offline updates (executed by systemd)
https://bugzilla.novell.com/show_bug.cgi?id=798885 https://bugzilla.novell.com/show_bug.cgi?id=798885#c0 Summary: The latest update for PackageKit installs polkit files in order to enable offline updates (executed by systemd) Classification: openSUSE Product: openSUSE Factory Version: 12.3 Beta 1 Platform: Other OS/Version: SUSE Other Status: NEW Severity: Critical Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: tittiatcoke@gmail.com QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.26 (KHTML, like Gecko) Chrome/26.0.1383.0 Safari/537.26 SUSE/26.0.1383.0 The latest update of PackageKit (zypp backend was fixed by Stephan Kulow) incorporated offline updates (executed during startup/shutdown by systemd). However this caused installation of a couple of polkit files for which rpmlint is now complaining. Currently I have resolved it by using a rpmlintrc file, but the target is to push this PackageKit update into 12.3 (Therefore I put the urgency at critical) The output of the rpmlint is: [ 644s] PackageKit.x86_64: W: polkit-unauthorized-privilege org.freedesktop.packagekit.trigger-offline-update (no:no:yes) [ 644s] PackageKit.x86_64: W: polkit-unauthorized-privilege org.freedesktop.packagekit.clear-offline-update (no:no:yes) [ 644s] The package allows unprivileged users to carry out privileged operations [ 644s] without authentication. This could cause security problems if not done [ 644s] carefully. If the package is intended for inclusion in any SUSE product please [ 644s] open a bug report to request review of the package by the security team [ 644s] [ 644s] PackageKit.x86_64: I: polkit-cant-acquire-privilege org.freedesktop.packagekit.trigger-offline-update (no:no:yes) [ 644s] PackageKit.x86_64: I: polkit-cant-acquire-privilege org.freedesktop.packagekit.clear-offline-update (no:no:yes) [ 644s] Usability can be improved by allowing users to acquire privileges via [ 644s] authentication. Use e.g. 'auth_admin' instead of 'no' and make sure to define [ 644s] 'allow_any'. This is an issue only if the privilege is not listed in /etc [ 644s] /polkit-default-privs.* The package itself will be coming from GNOME:Factory. Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=798885
https://bugzilla.novell.com/show_bug.cgi?id=798885#c
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=798885
https://bugzilla.novell.com/show_bug.cgi?id=798885#c1
--- Comment #1 from Sebastian Krahmer
From that point its more a policy decision whether you want users to allow that w/o asking for a password. I'd prefer that
-
https://bugzilla.novell.com/show_bug.cgi?id=798885
https://bugzilla.novell.com/show_bug.cgi?id=798885#c
Stephan Kulow
https://bugzilla.novell.com/show_bug.cgi?id=798885
https://bugzilla.novell.com/show_bug.cgi?id=798885#c2
--- Comment #2 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=798885
https://bugzilla.novell.com/show_bug.cgi?id=798885#c3
--- Comment #3 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=798885
https://bugzilla.novell.com/show_bug.cgi?id=798885#c4
--- Comment #4 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=798885
https://bugzilla.novell.com/show_bug.cgi?id=798885#c
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=798885
https://bugzilla.novell.com/show_bug.cgi?id=798885#c5
--- Comment #5 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=798885
https://bugzilla.novell.com/show_bug.cgi?id=798885#c6
--- Comment #6 from Frederic Crozat
I guess its everything done here, right? closing?
Well, we need some change on the default in polkit-default-privs and also approval from GNOME team members other than me :) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=798885
https://bugzilla.novell.com/show_bug.cgi?id=798885#c7
--- Comment #7 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=798885
https://bugzilla.novell.com/show_bug.cgi?id=798885#c8
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=798885
https://bugzilla.novell.com/show_bug.cgi?id=798885#c9
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=798885
https://bugzilla.novell.com/show_bug.cgi?id=798885#c10
--- Comment #10 from Frederic Crozat
i actually did add it.
# # PackageKit / systemd offline updates (bnc#798885) # org.freedesktop.packagekit.trigger-offline-update no:no:auth_admin_keep org.freedesktop.packagekit.clear-offline-update no:no:auth_admin_keep
on polkit-default-privs.standard, it should be changed to no:no:yes, admin password shouldn't be asked for those updates. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=798885
https://bugzilla.novell.com/show_bug.cgi?id=798885#c11
--- Comment #11 from Bernhard Wiedemann
participants (1)
-
bugzilla_noreply@novell.com