Bug 1217184

Summary: AUDIT-WHITELIST: plasma6-desktop: new revision of D-Bus service org.kde.kcontrol.kcmclock.conf
Product: [Novell Products] SUSE Security Incidents Reporter: Matthias Gerstner <matthias.gerstner>
Component: AuditsAssignee: Matthias Gerstner <matthias.gerstner>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: christophe, filippo.bonazzi, opensuse-kde-bugs, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1217076    

Comment 1 Matthias Gerstner 2023-11-30 12:58:25 UTC 
I made a mistake when splitting off this bug, the description in comment 0 is
wrong, there is the correct one:

plasma6-desktop will coexist (but won't be coinstallable) with plasma5-desktop
(I didn't find the related plasma5 report) and returns:

- plasma6-desktop.x86_64: E: dbus-file-unauthorized (Badness: 10) /usr/share/dbus-1/system.d/org.kde.kcontrol.kcmclock.conf
- plasma6-desktop.x86_64: E: dbus-file-unauthorized (Badness: 10) /usr/share/dbus-1/system-services/org.kde.kcontrol.kcmclock.service

The according package is found in KDE:Unstable:Frameworks/plasma6-desktop
Comment 2 Matthias Gerstner 2023-11-30 13:06:10 UTC 
I will work on this one as well.
Comment 3 Matthias Gerstner 2023-11-30 14:49:26 UTC 
This kauth helper is also small. It allows to change time, date, timezone and
ntp settings.

This all happens via a single D-Bus method call which is a bit packed. The
code is accordingly a bit difficult to follow, since it needs to deal with all
kind of different situations like: change NTP and timezone but not time and
date.

From the timezone string provided a path beneath /usr/share/timezone is
constructed, but luckily no "." characters are allowed in the string.
Otherwise it would have been possible to escape this directory.

This API always should stick to the `auth_admin` Polkit setting, as it allows
pretty drastic system configuration changes.

I couldn't find any actual security issues so we can whitelist it. Like with
the other bugs we will have another look at the package once the KDE6 release
draws near.

The upstream Git commit I looked into now was 74ab6a096.
Comment 4 Matthias Gerstner 2024-02-13 14:38:34 UTC 
The package to be submitted is now found in KDE:Frameworks/plasma6-desktop. It
contains version 5.93.0.

The kcmclock helper has not seen any relevant changes to its code since the
review happened.

This is ready for whitelisting.
Comment 5 Filippo Bonazzi 2024-02-14 15:34:12 UTC 
The build is failing, so this package is likely to change again. Perhaps the reviewed components will not need to change
Comment 6 Christophe Marin 2024-02-14 17:55:45 UTC 
(In reply to Filippo Bonazzi from comment #5)
> The build is failing, so this package is likely to change again. Perhaps the
> reviewed components will not need to change

which build?
https://build.opensuse.org/package/show/KDE:Frameworks/plasma6-desktop is green
Comment 7 Filippo Bonazzi 2024-02-15 07:00:21 UTC 
I looked at https://build.opensuse.org/package/show/KDE:Unstable:Frameworks/plasma6-desktop yesterday and it was broken. I noticed now I should have been looking at https://build.opensuse.org/package/show/KDE:Frameworks/plasma6-desktop. The Factory submissions will come from this second project I assume? That's my bad
Comment 9 Matthias Gerstner 2024-02-21 14:46:40 UTC 
The whitelisting is in Factory now. Closing as fixed.