Bug 1090963

Summary: AUDIT-0: cinnamon: new polkit policies org.cinnamon.schema-{install,remove}
Product: [Novell Products] SUSE Security Incidents Reporter: Alexei Sorokin <sor.alexei>
Component: AuditsAssignee: Alexei Sorokin <sor.alexei>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: astieger, matthias.gerstner
Version: unspecified   
Target Milestone: unspecified   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexei Sorokin 2018-04-25 19:11:20 UTC 
In cinnamon 3.8.0 new polkit policies have been added: org.cinnamon.schema-install and org.cinnamon.schema-remove, causing:
> cinnamon.x86_64: E: polkit-untracked-privilege (Badness: 10000) org.cinnamon.schema-install (no:no:auth_admin_keep)
> cinnamon.x86_64: E: polkit-untracked-privilege (Badness: 10000) org.cinnamon.schema-remove (no:no:auth_admin_keep)

The package is https://build.opensuse.org/package/show/X11:Cinnamon:Factory/cinnamon
Comment 1 Matthias Gerstner 2018-06-25 16:08:06 UTC 
I will be working on this now.
Comment 2 Matthias Gerstner 2018-06-26 12:31:02 UTC 
I am not very happy with these polkit rules. They allow to execute
/usr/bin/cinnamon-schema-install and /usr/bin/cinnamon-schema-remove as root,
after entering the admin password.

First of all I am not quite sure why the user needs to install a gsettings
schema into the system anyways. It is probably tied to the Cinnamon extensions
and applets but shouldn't it be possible to keep that in the user's home
directory?

The cinnamon extensions seem not to be verified via signatures or anything, so
the only security seems to come from the fact that the cinnamon website, where
extensions are offered, is SSL verified.

The python scripts /usr/bin/cinnamon-schema-* are naively implemented and run
through the shell. They don't verify their input arguments, wildcards and path
components can be passed. I can't whitelist them in this form.

I will try to open an upstream pull request with improved scripts that are
more acceptable.
Comment 3 Matthias Gerstner 2018-06-26 14:55:18 UTC 
I just created a pull request for a more secure script implementation:

https://github.com/linuxmint/Cinnamon/pull/7670
Comment 4 Matthias Gerstner 2018-06-28 09:38:17 UTC 
So instead of accepting my pull request, the upstream discussion resulted in
removal of this functionality. It looks like they can install the schemas into
the user's home directory after all. I think this is best for security
anyways.

So for packaging this means the following:

- you can update to the next upstream release without this polkit rule and
  consequently close this bug.
- you can still apply my patch from the pull request and I can whitelist this
  rule. But I don't think we should do that.

Actually a whitelisting is technically not even here. These rules just allow
to cache the root authentication, but without the rules the functionality
would still work just without caching.

Assigning this bug back to you, Alexei.
Comment 5 Alexei Sorokin 2018-07-02 14:26:00 UTC 
Closing.