Bug 1217178

Summary: AUDIT-WHITELIST: kf6-kauth: new version of D-Bus service org.kde.kf6auth.conf
Product: [Novell Products] SUSE Security Incidents Reporter: Matthias Gerstner <matthias.gerstner>
Component: AuditsAssignee: Matthias Gerstner <matthias.gerstner>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: christophe, nicolas.fella, opensuse-kde-bugs
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1217076    

Description Matthias Gerstner 2023-11-15 12:36:30 UTC 
+++ This bug was initially created as a clone of Bug #1217076

Sub bug for review of a bunch of new D-Bus services in KDE6.

Package is found in KDE:Unstable:Frameworks/kf6-kauth.

kf6-kauth.x86_64: E: dbus-file-unauthorized (Badness: 10) /usr/share/dbus-1/system.d/org.kde.kf6auth.conf

Since the kauth framework is at the heart of KDE's Polkit security we should
take special care reviewing this package.
Comment 1 Matthias Gerstner 2023-11-20 14:42:04 UTC 
I'll have a look at this.
Comment 2 Matthias Gerstner 2023-11-20 15:17:02 UTC 
It seems we never formally reviewed kauth, the last time somebody had a deeper
look was in 2017 via bug 1036244.
Comment 3 Matthias Gerstner 2023-11-21 10:21:29 UTC 
I compared the kf6-kauth against the kauth currently found in
openSUSE:Factory. The changes are small:

- global rename of identifiers towards kf6
- removal of deprecated parts of the API
- removal of Qt5 compatibility
- change of the buildsystem to build against Qt6

Otherwise there are practically no changes to the business logic of kauth.

Since kauth is at the heart of KDEs Polkit security and since we didn't review
it properly for a long time I will take a closer look at its key parts anyway.
Comment 4 Matthias Gerstner 2023-11-23 12:43:14 UTC 
The design of kauth really is weird in many spots. But the main authentication
path for Polkit/D-Bus should be fine, even if it causes headaches when trying
to follow it through.

I have a few pointers for upstream regarding the following though:

- a) this `s_watchers` hashmap is no longer used:
  https://invent.kde.org/frameworks/kauth/-/blob/master/src/executejob.cpp?ref_type=heads#L43

- b) the function DBusHelperProxy::callerUid() and related functions seem unused:
  https://invent.kde.org/frameworks/kauth/-/blob/master/src/backends/dbus/DBusHelperProxy.cpp?ref_type=heads#L352
  it's still called in HelperProxy::callerUid(), but this in turn isn't called
  by anybody. Except it would be called externally, but why should that
  happen?

- c) in DBusHelperProxy::performAction() this hack here:

  https://invent.kde.org/frameworks/kauth/-/blob/master/src/backends/dbus/DBusHelperProxy.cpp?ref_type=heads#L236

  is really awful. The process is basically multithreaded and the hack isn't
  thread safe, influences the Qt framework for the complete process. Wouldn't
  there be a better way to prevent the sketched problem?

  The logic was introduced in commit fc70fb01.

- d) This "ExtraCallerIDVerificationMethod" is really strange:

  https://invent.kde.org/frameworks/kauth/-/blob/master/src/backends/dbus/DBusHelperProxy.cpp?ref_type=heads#L200

  The `callerID` is an untrusted value supplied by the unprivileged client,
  when using Polkit. I can only imagine this very strange design is due to the
  need to also cover the MAC backend with the same interface. It makes
  absolutely no sense to pass-on this callerID when using Polkit/D-Bus on
  Linux, it is just a confusing burden.

Since this is a KDE6 major release it might be a good time to address some of
the problematic design aspects mentioned in c) and d), even if it breaks
interfaces.
Comment 5 Matthias Gerstner 2023-11-23 12:45:31 UTC 
What might be the best mechanism to approach upstream about the suggestions in comment 4? A bug on bugs.kde.org? Or are you in touch with upstream yourself?
Comment 6 Matthias Gerstner 2023-11-23 14:36:20 UTC 
So basically the review is complete.

Since it still takes a long time before KDE6 is actually released I'll switch
this bug into an AUDIT-WHITELIST bug, pending for whitelisting. When the
actual release is drawing near then we will have a look over any recent
changes before we submit the actual whitelisting.

The upstream Git revision I reviewed was 0cee240e50f07200740b99906e8a9b9a202296fc.

TODOs left:

- approach upstream with suggestions for improvement
- install source code change monitoring for kf6-kauth once it is in Factory.
- actually whitelist
Comment 7 Christophe Marin 2023-11-28 09:23:01 UTC 
https://invent.kde.org/frameworks/kauth/-/issues/3 was filed upstream
Comment 8 Matthias Gerstner 2024-02-13 10:22:07 UTC 
The current kf6-kauth package has reached version 5.249.0 - a bit confusing
that they still use a 5 major version for kf6.

The changes since the last review are 80 % noise, otherwise a change with
regards to Wayland support in GUI window handling. Of the items I reported in
comment 4 the topics a) and d) have been addressed.

The other item I raised only in the upstream issue mentioned in comment 7 is
that I suggested to support passing of file descriptors in D-Bus interfaces.
I did not receive any feedback about this.

The new kauth on its own is fine so far. I will start the whitelisting process
now.
Comment 10 Matthias Gerstner 2024-02-21 14:46:32 UTC 
The whitelisting is in Factory now. Closing as fixed.