[opensuse-factory] rpmlint-checks: I: polkit-untracked-privilege will become an error
Hello, the SUSE security team recently decided to turn the rpmlint check "polkit-untracked-privilege" into an error. Currently this is only an informational message. If you get messages like these in your package: gvfs-backends.x86_64: I: polkit-untracked-privilege org.gtk.vfs.file-operations (no:no:auth_admin_keep) then they will become an error with 10.000 extra badness in the future, as is the case with other polkit related errors. This affects all packages in openSUSE:Factory. The rationale behind that is that even though these polkit rules seem harmless (only locally logged in users with admin privileges can acquire the polkit privilege), they can expose security issues. This is because the correct enforcement of the polkit policy is depending on the individual package's polkit adaption. Therefore such packages must go through a review process with the security team. You can trigger this process by opening a bug against security-team@suse.de and adding an AUDIT prefix to the bug summary. For more about this please refer to this wiki page: https://en.opensuse.org/openSUSE:Package_security_guidelines We don't expect many packages to be affected by this. If you have any questions please reach out to us. Thank you Matthias -- Matthias Gerstner <matthias.gerstner@suse.de> Dipl.-Wirtsch.-Inf. (FH), Security Engineer https://www.suse.com/security Telefon: +49 911 740 53 290 GPG Key ID: 0x14C405C971923553 SUSE Linux GmbH GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nuernberg)
Hi, On Fri, 2018-02-23 at 16:31 +0100, Matthias Gerstner wrote:
Hello,
the SUSE security team recently decided to turn the rpmlint check "polkit-untracked-privilege" into an error. Currently this is only an informational message. If you get messages like these in your package:
gvfs-backends.x86_64: I: polkit-untracked-privilege org.gtk.vfs.file-operations (no:no:auth_admin_keep)
then they will become an error with 10.000 extra badness in the future, as is the case with other polkit related errors. This affects all packages in openSUSE:Factory.
Looking forward to the errors in Staging, which will all need to get fixed before that check becomes an error in Factory.
The rationale behind that is that even though these polkit rules seem harmless (only locally logged in users with admin privileges can acquire the polkit privilege), they can expose security issues. This is because the correct enforcement of the polkit policy is depending on the individual package's polkit adaption.
Therefore such packages must go through a review process with the security team. You can trigger this process by opening a bug against security-team@suse.de and adding an AUDIT prefix to the bug summary. For more about this please refer to this wiki page:
So far the argument was that calling any such thing is at the same risk level as running any random binary using sudo. Which means every binary.
https://en.opensuse.org/openSUSE:Package_security_guidelines
We don't expect many packages to be affected by this. If you have any questions please reach out to us.
Sadly, this is a brp warning, not an rpmlint warning - otherwise we'd have at least some upfront information about it. At this time, it's a "let's get surprised how much will break" - not exactly my most favorite thing. I'll see to get some information extracted from the 12k build logs of Factory - then we should have some better information about how many packages will be affected by this. cheers Dominique
Hello Dominique, sorry for the delayed reply. I was on vacation last week.
So far the argument was that calling any such thing is at the same risk level as running any random binary using sudo. Which means every binary.
I am not quite sure if I understand your point. Polkit rules cannot be directly compared to sudo usage. Running a D-Bus service that utilizes polkit as root can immediately open a security vulnerability without requiring any further action on the user's side. I do not think that the same is the case involving sudo (the user would need to actively change sudo configuration).
https://en.opensuse.org/openSUSE:Package_security_guidelines
We don't expect many packages to be affected by this. If you have any questions please reach out to us.
Sadly, this is a brp warning, not an rpmlint warning - otherwise we'd have at least some upfront information about it.
Are you sure about that? I do not know anything about brp. All changes I worked on are located in rpmlint packages.
At this time, it's a "let's get surprised how much will break" - not exactly my most favorite thing.
You are right. It seems we have underestimated the impact. We should have discussed this with you before changing it. My apologies. Thank you for checking up on the affected packages and opening bugs for them. I have discussed this in the team and we will whitelist these packages immediately to keep the impact low. The reviews will then follow in time afterwards. Regards Matthias
Hi,
the SUSE security team recently decided to turn the rpmlint check "polkit-untracked-privilege" into an error. Currently this is only an informational message. If you get messages like these in your package:
gvfs-backends.x86_64: I: polkit-untracked-privilege org.gtk.vfs.file-operations (no:no:auth_admin_keep)
then they will become an error with 10.000 extra badness in the future, as is the case with other polkit related errors. This affects all packages in openSUSE:Factory.
there seems to be a bit of confusion for some users regarding this change (see bnc#1089082). My statement above is not completely correct: The change not only affects all packages in openSUSE:Factory but all packages that build against the Factory repository which usually includes also home and devel projects. This is no major change, however, since this has always been the case for other errors like 'polkit-unauthorized-privilege'. You can suppress the rpmlint errors in home and devel projects by using an rpmlintrc file as outlined here: https://en.opensuse.org/openSUSE:Package_security_guidelines#Audit_Bugs_for_... You can do this while developing a package or for packages that aren't supposed to be submitted to openSUSE:Factory. Please remove such suppressions before submitting to openSUSE:Factory. Cheers Matthias
participants (2)
-
Dominique Leuenberger / DimStar -
Matthias Gerstner