Bugzilla – Bug 1143147
AUDIT-0: calamares: polkit-untracked-privilege
Last modified: 2019-08-12 09:53:55 UTC
Created attachment 811861 [details]
full build log
For my package found in OBS in home:embar-:Lietukas/calamares I would like a whitelisting for the following rpmlint error:
[ 408s] calamares.x86_64: I: polkit-cant-acquire-privilege com.github.calamares.calamares.pkexec.run (no:no:auth_admin)
[ 408s] Usability can be improved by allowing users to acquire privileges via
[ 408s] authentication. Use e.g. 'auth_admin' instead of 'no' and make sure to define
[ 408s] 'allow_any'. This is an issue only if the privilege is not listed in
[ 408s] /etc/polkit-default-privs.*
[ 408s] calamares.x86_64: E: polkit-untracked-privilege (Badness: 10000) com.github.calamares.calamares.pkexec.run (no:no:auth_admin)
[ 408s] The privilege is not listed in /etc/polkit-default-privs.* which makes it
[ 408s] harder for admins to find. Furthermore polkit authorization checks can easily
[ 408s] introduce security issues. If the package is intended for inclusion in any
[ 408s] SUSE product please open a bug report to request review of the package by the
[ 408s] security team. Please refer to
[ 408s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for
[ 408s] more information.
I would like to submit it later into Education/calamares and main openSUSE Factory/Tumbleweed repository. Please help with this package.
Thank you for opening the review bug. We will have a look at your package in a
couple of days.
This polkit policies is just for executing calamares as root on the X11
server. This shouldn't take a long review.
(In reply to Matthias Gerstner from comment #2)
> <...> just for executing calamares as root on the X11 server. <...>
Out of curiosity:
Does (I hope) it is possible to execute calamares as root on Wayland too?
(In reply to email@example.com from comment #3)
> Out of curiosity:
> Does (I hope) it is possible to execute calamares as root on Wayland too?
Actually, no. Selectively running applications as root is prevented by design
in Wayland. See also  for more about this.
So calamares uses the policy only to start the graphical application via
pkexec as root. This is an option that can be entered in the calamares.desktop
file. In my test build it still uses xdg-su, however.
The pkexec action is not used programatically in the source code. Running the
installer as root gives a lot of power, of course, which is in the nature of a
distribution installer. Using it wrongly can break things fast but this is
within the responsibility of the user.
The default setting of allowing this only with admin password for active users
I will whitelist the policy and submit it to Factory.
I did not tested yet in Wayland, but Calamares 3.2 series was supposed to support Wayland too:
https://www.debian.org/News/2019/20190706 - debian by default is with Wayland and live images includes Wayland.
(In reply to firstname.lastname@example.org from comment #6)
> I did not tested yet in Wayland, but Calamares 3.2 series was supposed to support Wayland too:
There may be ways around the limitation. But I doubt it will work using pkexec
as originally intended by calamares. You can simply test it on Tumbleweed
where Wayland has become the default.
The whitelisting is in Factory by now. Therefore I'm closing this bug.