Bugzilla – Bug 1143147
AUDIT-0: calamares: polkit-untracked-privilege
Last modified: 2019-08-12 09:53:55 UTC
Created attachment 811861 [details] full build log For my package found in OBS in home:embar-:Lietukas/calamares I would like a whitelisting for the following rpmlint error: [ 408s] calamares.x86_64: I: polkit-cant-acquire-privilege com.github.calamares.calamares.pkexec.run (no:no:auth_admin) [ 408s] Usability can be improved by allowing users to acquire privileges via [ 408s] authentication. Use e.g. 'auth_admin' instead of 'no' and make sure to define [ 408s] 'allow_any'. This is an issue only if the privilege is not listed in [ 408s] /etc/polkit-default-privs.* [ 408s] <...> [ 408s] calamares.x86_64: E: polkit-untracked-privilege (Badness: 10000) com.github.calamares.calamares.pkexec.run (no:no:auth_admin) [ 408s] The privilege is not listed in /etc/polkit-default-privs.* which makes it [ 408s] harder for admins to find. Furthermore polkit authorization checks can easily [ 408s] introduce security issues. If the package is intended for inclusion in any [ 408s] SUSE product please open a bug report to request review of the package by the [ 408s] security team. Please refer to [ 408s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for [ 408s] more information. I would like to submit it later into Education/calamares and main openSUSE Factory/Tumbleweed repository. Please help with this package.
Thank you for opening the review bug. We will have a look at your package in a couple of days.
This polkit policies is just for executing calamares as root on the X11 server. This shouldn't take a long review.
(In reply to Matthias Gerstner from comment #2) > <...> just for executing calamares as root on the X11 server. <...> Out of curiosity: Does (I hope) it is possible to execute calamares as root on Wayland too?
(In reply to opensuse.lietuviu.kalba@gmail.com from comment #3) > Out of curiosity: > Does (I hope) it is possible to execute calamares as root on Wayland too? Actually, no. Selectively running applications as root is prevented by design in Wayland. See also [1] for more about this. [1]: https://wiki.archlinux.org/index.php/Running_GUI_applications_as_root#Wayland
So calamares uses the policy only to start the graphical application via pkexec as root. This is an option that can be entered in the calamares.desktop file. In my test build it still uses xdg-su, however. The pkexec action is not used programatically in the source code. Running the installer as root gives a lot of power, of course, which is in the nature of a distribution installer. Using it wrongly can break things fast but this is within the responsibility of the user. The default setting of allowing this only with admin password for active users is sane. I will whitelist the policy and submit it to Factory.
I did not tested yet in Wayland, but Calamares 3.2 series was supposed to support Wayland too: https://calamares.io/calamares-3.2-plan/ https://github.com/calamares/calamares/issues/747#issuecomment-309212388 https://www.debian.org/News/2019/20190706 - debian by default is with Wayland and live images includes Wayland.
(In reply to opensuse.lietuviu.kalba@gmail.com from comment #6) > I did not tested yet in Wayland, but Calamares 3.2 series was supposed to support Wayland too: There may be ways around the limitation. But I doubt it will work using pkexec as originally intended by calamares. You can simply test it on Tumbleweed where Wayland has become the default.
The whitelisting is in Factory by now. Therefore I'm closing this bug.