|
Bugzilla – Full Text Bug Listing |
| Summary: | AUDIT-WHITELIST: udisks2: review of new polkit privileges for 2.10.0 release | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE Tumbleweed | Reporter: | Luciano Santos <luc14n0> |
| Component: | Security | Assignee: | Wolfgang Frisch <wolfgang.frisch> |
| Status: | RESOLVED FIXED | QA Contact: | E-mail List <qa-bugs> |
| Severity: | Normal | ||
| Priority: | P5 - None | CC: | matthias.gerstner, wolfgang.frisch |
| Version: | Current | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Luciano Santos
2023-09-01 21:09:37 UTC
Thank you for opening the review bug. We will have a look. Upstream: https://www.freedesktop.org/wiki/Software/udisks/ OBS: https://build.opensuse.org/package/show/Base:System/udisks2 The package doesn't seem to build currently, because libblockdev 3.0 is missing. Do you intend to submit this Factory right away or will this need some more time? I reviewed the new actions all looks okay. The polkit authentication is properly done based on the dbus sender subject. Also a lot of extra details are provided to the authentication messages so users know what exactly they are authenticating. All actions require root privileges in all contexts, which is also necessary, because these are low level block device operations. The `filesystem-mount-other-user` action is an addition that allows to mount a filesystem as if done for another user id. This looks okay so far. The other actions are all related to low level NVME block device handling. All of the actions are based on block devices and there shouldn't be any user controlled files in the play. The nvme-set-hostnqn-id is actually creating a configuration file in /etc, but it is root controlled and only world readable, contains the NVM qualified name. (In reply to Matthias Gerstner from comment #3) > The package doesn't seem to build currently, because libblockdev 3.0 is > missing. Do you intend to submit this Factory right away or will this need > some more time? I'd like to submit it ASAP, since libblockdev 3.0 was released at the end of June. And the only road block is UDisks 2.10, right now. Both liblockdev 3.x and UDisks 2.10 have to be staged together. > I reviewed the new actions all looks okay. The polkit authentication is > properly done based on the dbus sender subject. Also a lot of extra details > are provided to the authentication messages so users know what exactly they > are authenticating. > > All actions require root privileges in all contexts, which is also necessary, > because these are low level block device operations. > > The `filesystem-mount-other-user` action is an addition that allows to mount > a > filesystem as if done for another user id. This looks okay so far. > > The other actions are all related to low level NVME block device handling. > All > of the actions are based on block devices and there shouldn't be any user > controlled files in the play. > > The nvme-set-hostnqn-id is actually creating a configuration file in /etc, > but > it is root controlled and only world readable, contains the NVM qualified > name. These are good news. Thanks for the review. the whitelisting change is on its way to Factory via sr#1110470 Accepted into Factory https://build.opensuse.org/request/show/1110598 The whitelisting should be effective now, closing the bug as fixed. Thank you everybody for your time. Hello once again,
I have to bother you people one more time. Somehow we missed this one:
> udisks2.x86_64: E: polkit-user-privilege (Badness: 10000) org.freedesktop.udisks2.nvme-smart-update (auth_admin:auth_admin:yes)
It was partly my fault for copy-pasting someone else's copy-paste, instead of checking the RPM Lint log myself :~p In any case, I have a build of udisks2 here: https://build.opensuse.org/package/show/home:luc14n0:branches:devel:libraries:c_c++/udisks2 Matthias is on FTO. This seems urgent, so I'll work on it today. Looks good to me. udisks_nvme_controller_complete_smart_update(), called from handle_smart_update(), which performs Polkit authorization first. I chose ::yes for the easy and standard PolKit profiles because this function only reads from the controller and doesn't appear to modify anything: https://github.com/storaged-project/udisks/blob/1d8ac51c6917777e25545f73af50c2d3ad67f100/src/udiskslinuxnvmecontroller.c#L353 http://storaged.org/libblockdev/libblockdev-NVMe.html#bd-nvme-get-smart-log Whitelisting on its way to Factory: https://build.opensuse.org/request/show/1112560 Thank you Wolfgang for the due diligence. (In reply to luc14n0@opensuse.org from comment #10) > It was partly my fault for copy-pasting someone else's copy-paste, instead of checking the RPM Lint log myself :~p > > In any case, I have a build of udisks2 here: > > https://build.opensuse.org/package/show/home:luc14n0:branches:devel:libraries:c_c++/udisks2 I thought I had checked the actual OBS build logs when I whitelisted but it seems like it still slipped my attention. Anyway, the whitelisting should be complete now. Closing this bug as fixed. |