Bug 1215652

Summary: AUDIT-0: polkit: please whitelist polkit rule change
Product: [openSUSE] openSUSE Tumbleweed Reporter: Ludwig Nussel <lnussel>
Component: SecurityAssignee: Wolfgang Frisch <wolfgang.frisch>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: filippo.bonazzi, lnussel, meissner, otto.hollmann, wolfgang.frisch
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Ludwig Nussel 2023-09-25 07:31:20 UTC 
https://build.opensuse.org/request/show/1112333

see jsc#PED-260


[   52s] polkit.x86_64: E: polkit-file-digest-mismatch (Badness: 10000) /usr/share/polkit-1/rules.d/50-default.rules expected sha256:aea3041de2c15db8683620de8533206e50241c309eb27893605d5ead17e5e75f, has:3b5781af8a450c5184c7a2d5408f4af7d3c65f23548ee0962ad0eabb70072c32
[   52s] A polkit rule file changed in content. Packaging polkit rules requires a
[   52s] review and whitelisting by the SUSE security team. If the package is intended
[   52s] for inclusion in any SUSE product please open a bug report to request review
[   52s] of the package by the security team. Please refer to
[   52s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for
[   52s] more information.
Comment 1 Wolfgang Frisch 2023-09-25 07:38:42 UTC 
Thank you for the report. We will schedule this task within our team shortly.
Comment 2 Wolfgang Frisch 2023-09-25 10:37:49 UTC 
This looks sensible in general.

The only remaining question is whether or where `polkit._suse_admin_groups = []` will be set to a different value.
Comment 3 Ludwig Nussel 2023-09-25 11:36:06 UTC 
Planned to be used by sudo. Probably makes sense to add the checksums for those files already too:

https://build.opensuse.org/package/rdiff/home:ohollmann:branches:Remove-targetpw/sudo?opackage=sudo&oproject=Base%3ASystem&rev=14

It's 51-sudo.rules and 51-wheel.rules with checksum
6fa951c8cb81606a10bd82e6ef8e260e98cc84e68e9a49310a8a670889e31b4d
Comment 4 Ludwig Nussel 2023-09-25 11:39:24 UTC 
pardon
f771f054dff80233218bb658419bed786dfc30ca35ea0d3cd1ed4855be8ae4fd  ./usr/share/polkit-1/rules.d/51-sudo.rules
6fa951c8cb81606a10bd82e6ef8e260e98cc84e68e9a49310a8a670889e31b4d  ./usr/share/polkit-1/rules.d/51-wheel.rules
Comment 5 Matthias Gerstner 2023-10-09 10:48:41 UTC 
I'm not quite sure about this line in the for loop:

> rules.push("unix-group:"+g);

So if the caller is in one of the groups then only its own account is
eligible as admin. But if this is not the case then any members of that group
are eligible as admin.

So what is this supposed to do? When there are accounts A and B which are
members of an admin group and an account C which is not a member of an admin
group, then C may authenticate as either A or B or root to gain admin?

I tried to reproduce this behaviour but somehow it doesn't work, Polkit always
wants to authenticate as root, there is no user selection or anything.
Comment 6 Ludwig Nussel 2023-10-09 11:45:43 UTC 
yes, I saw it behave as you describe. polkit shows a dialog that allows to select admin accounts to authenticate as. You could try launching polkitd manually in a shell to see it's debug output. maybe it gives some clues
Comment 7 Matthias Gerstner 2023-10-10 10:55:49 UTC 
(In reply to lnussel@suse.com from comment #6)
> yes, I saw it behave as you describe. polkit shows a dialog that allows to select admin accounts to authenticate as. You could try launching polkitd manually in a shell to see it's debug output. maybe it gives some clues

If you've seen it work then this is good enough for me. Good to go for the
whitelisting @wfrisch.
Comment 8 Filippo Bonazzi 2023-11-13 15:04:33 UTC 
https://build.opensuse.org/request/show/1125677
Comment 10 OBSbugzilla Bot 2023-11-15 10:25:04 UTC 
This is an autogenerated message for OBS integration:
This bug (1215652) was mentioned in
https://build.opensuse.org/request/show/1126560 Factory / rpmlint
Comment 11 Matthias Gerstner 2023-12-08 12:11:43 UTC 
The whitelisting has been in Factory for a while now. Closing as FIXED.