Bug 1143147 - AUDIT-0: calamares: polkit-untracked-privilege
AUDIT-0: calamares: polkit-untracked-privilege
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security
Current
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Matthias Gerstner
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-07-28 19:03 UTC by Mindaugas Baranauskas
Modified: 2019-08-12 09:53 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
full build log (307.83 KB, text/plain)
2019-07-28 19:03 UTC, Mindaugas Baranauskas
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Mindaugas Baranauskas 2019-07-28 19:03:25 UTC
Created attachment 811861 [details]
full build log

For my package found in OBS in home:embar-:Lietukas/calamares I would like a whitelisting for the following rpmlint error:

[  408s] calamares.x86_64: I: polkit-cant-acquire-privilege com.github.calamares.calamares.pkexec.run (no:no:auth_admin)
[  408s] Usability can be improved by allowing users to acquire privileges via
[  408s] authentication. Use e.g. 'auth_admin' instead of 'no' and make sure to define
[  408s] 'allow_any'. This is an issue only if the privilege is not listed in
[  408s] /etc/polkit-default-privs.*
[  408s] 

<...>

[  408s] calamares.x86_64: E: polkit-untracked-privilege (Badness: 10000) com.github.calamares.calamares.pkexec.run (no:no:auth_admin)
[  408s] The privilege is not listed in /etc/polkit-default-privs.* which makes it
[  408s] harder for admins to find. Furthermore polkit authorization checks can easily
[  408s] introduce security issues. If the package is intended for inclusion in any
[  408s] SUSE product please open a bug report to request review of the package by the
[  408s] security team. Please refer to
[  408s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for
[  408s] more information.


I would like to submit it later into Education/calamares and main openSUSE Factory/Tumbleweed repository. Please help with this package.
Comment 1 Matthias Gerstner 2019-07-29 08:33:16 UTC
Thank you for opening the review bug. We will have a look at your package in a
couple of days.
Comment 2 Matthias Gerstner 2019-07-29 14:23:35 UTC
This polkit policies is just for executing calamares as root on the X11
server. This shouldn't take a long review.
Comment 3 Mindaugas Baranauskas 2019-07-29 19:02:33 UTC
(In reply to Matthias Gerstner from comment #2)
> <...> just for executing calamares as root on the X11 server. <...>


Out of curiosity:
Does (I hope) it is possible to execute calamares as root on Wayland too?
Comment 4 Matthias Gerstner 2019-07-30 09:48:59 UTC
(In reply to opensuse.lietuviu.kalba@gmail.com from comment #3)
> Out of curiosity:
> Does (I hope) it is possible to execute calamares as root on Wayland too?

Actually, no. Selectively running applications as root is prevented by design
in Wayland. See also [1] for more about this.

[1]: https://wiki.archlinux.org/index.php/Running_GUI_applications_as_root#Wayland
Comment 5 Matthias Gerstner 2019-08-01 11:47:26 UTC
So calamares uses the policy only to start the graphical application via
pkexec as root. This is an option that can be entered in the calamares.desktop
file. In my test build it still uses xdg-su, however.

The pkexec action is not used programatically in the source code. Running the
installer as root gives a lot of power, of course, which is in the nature of a
distribution installer. Using it wrongly can break things fast but this is
within the responsibility of the user.

The default setting of allowing this only with admin password for active users
is sane.

I will whitelist the policy and submit it to Factory.
Comment 6 Mindaugas Baranauskas 2019-08-01 15:59:37 UTC
I did not tested yet in Wayland, but Calamares 3.2 series was supposed to support Wayland too:

https://calamares.io/calamares-3.2-plan/
https://github.com/calamares/calamares/issues/747#issuecomment-309212388
https://www.debian.org/News/2019/20190706 - debian by default is with Wayland and live images includes Wayland.
Comment 7 Matthias Gerstner 2019-08-02 07:32:02 UTC
(In reply to opensuse.lietuviu.kalba@gmail.com from comment #6)
> I did not tested yet in Wayland, but Calamares 3.2 series was supposed to support Wayland too:

There may be ways around the limitation. But I doubt it will work using pkexec
as originally intended by calamares. You can simply test it on Tumbleweed
where Wayland has become the default.
Comment 8 Matthias Gerstner 2019-08-12 09:53:55 UTC
The whitelisting is in Factory by now. Therefore I'm closing this bug.