https://bugzilla.suse.com/show_bug.cgi?id=1226424 Bug ID: 1226424 Summary: AUDIT-0: powerdevil6: New Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: fabian@ritter-vogt.de QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- Package: https://build.opensuse.org/package/show/KDE:Frameworks/powerdevil6 (but to allow TW inclusion it'll be disabled there temporarily) rpmlint complaint: [ 94s] powerdevil6.x86_64: E: polkit-user-privilege (Badness: 10000) org.kde.powerdevil.chargethresholdhelper.getconservationmode (no:yes:yes) [ 94s] The package allows unprivileged users to carry out privileged operations [ 94s] without root authentication. This could cause security problems if not done [ 94s] carefully. If the package is intended for inclusion in any SUSE product please [ 94s] open a bug report to request review of the package by the security team. [ 94s] Please refer to [ 94s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for [ 94s] more information. [ 94s] [ 94s] powerdevil6.x86_64: E: polkit-untracked-privilege (Badness: 10000) org.kde.powerdevil.chargethresholdhelper.setconservationmode (no:no:auth_admin_keep) [ 94s] The polkit action is not listed in the polkit-default-privs profiles which [ 94s] makes it harder for admins to find. Furthermore improper polkit authorization [ 94s] checks can easily introduce security issues. If the package is intended for [ 94s] inclusion in any SUSE product please open a bug report to request review of [ 94s] the package by the security team. Please refer to [ 94s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for [ 94s] more information. Code: https://invent.kde.org/plasma/powerdevil/-/blob/master/daemon/chargethreshol... -- You are receiving this mail because: You are on the CC list for the bug.