Bug 1090371

Summary: AUDIT-0: cinnamon-control-center: new polkit policy org.cinnamon.controlcenter.datetime
Product: [Novell Products] SUSE Security Incidents Reporter: Alexei Sorokin <sor.alexei>
Component: AuditsAssignee: Matthias Gerstner <matthias.gerstner>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: astieger, matthias.gerstner
Version: unspecified   
Target Milestone: unspecified   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexei Sorokin 2018-04-20 12:08:13 UTC 
In cinnamon-control-center 3.8.0 a new polkit policy has been added: org.cinnamon.controlcenter.datetime, causing:
> cinnamon-control-center-common.noarch: E: polkit-untracked-privilege (Badness: 10000) org.cinnamon.controlcenter.datetime.configure (no:no:auth_admin_keep)

The package is https://build.opensuse.org/package/show/X11:Cinnamon:Factory/cinnamon-control-center
Comment 1 Matthias Gerstner 2018-04-20 12:18:44 UTC 
Thank you for opening this bug. We will review this but please be aware that
this will take a while due to a quite big backlog in security reviews.
Comment 2 Matthias Gerstner 2018-06-21 14:36:11 UTC 
I will work on this review now.
Comment 3 Matthias Gerstner 2018-06-22 08:43:34 UTC 
On a side note: cinnamon-control-center does not seem to be currently working
currently neither on Tumbleweed nor on Leap15. All I get is a broken window
with a single button "All Settings" that does nothing.
Comment 4 Matthias Gerstner 2018-06-22 13:24:44 UTC 
I'm finished with the review. This is another one of those badly documented
use cases of polkit.

cinnamon-control-center does not by itself implement any sensitive operations,
but is rather a polkit client. A dialog for setting the system time and date
implements an "unlock/lock" button. By default the regular user does not have
permission to change the system time and date. By pressing "unlock", the
polkit action org.cinnamon.controlcenter.datetime.configure will be requested
from polkit for the cinnamon-control-center process. But this polkit action is
rather only a kind of meta action for other polkit actions as we can see from
the policy file:

  <annotate key="org.freedesktop.policykit.imply">org.freedesktop.timedate1.set-time org.freedesktop.timedate1.set-timezone org.freedesktop.timedate1.set-local-rtc org.freedesktop.timedate1.set-ntp</annotate>

So when the action is granted it implicitly also grants all these other
actions which are in turn implemented in systemd and other systemd processes.
No action is performed after the meta action is granted, but
cinnamon-control-center instead unlocks its time/date dialog and the user can
perform the desired changes. Only when this dialog is applied will
cinnamon-control-center send an actual set-time or otherwise appropriate D-Bus
message to systemd or whatever it deems appropriate.

Since the meta action is configured for 'auth_admin_keep', the user will not
need to enter the admin password again. The cinnamon process is already
authorized. The temporary authentication only lasts for half a minute or so,
though, so if the user is too slow, he will still have to enter the password
again.

All in all this logic should be implemented safely. A shame, though, that the
control-center does not seem to work at all currently as stated in comment 3.

I will submit a whitelisting in short time.
Comment 5 Matthias Gerstner 2018-06-22 13:46:45 UTC 
The whitelisting is submitted. Please refer to the following wiki page

  https://en.opensuse.org/openSUSE:Package_security_guidelines#How_the_Whitelisting_Process_Works

for information about when the whitelisting will become effective for you.

Closing this bug as fixed.
Comment 6 Swamp Workflow Management 2018-06-22 14:20:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1090371) was mentioned in
https://build.opensuse.org/request/show/618495 Factory / polkit-default-privs