|
Bugzilla – Full Text Bug Listing |
| Summary: | AUDIT-WHITELIST: kwalletmanager: changes to D-Bus service? | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Matthias Gerstner <matthias.gerstner> |
| Component: | Audits | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P5 - None | CC: | christophe, opensuse-kde-bugs, paolo.perego |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Bug Depends on: | |||
| Bug Blocks: | 1217076 | ||
|
Description
Matthias Gerstner
2023-11-15 13:16:33 UTC
I will pickup this one. kdewalletmanager: the code is almost here to design and manage UI. Not too much business logic or interesting code so far. No issues at the moment Closing the AUDIT Reopening since we need this bug for tracking the whitelisting.
This package throws rpmlint badness, because the RPM has been renamed from
kwalletmanager5 to kwalletmanager. Otherwise nothing changed in the
whitelisted D-Bus files or Polkit actions.
The actual Kauth privileged component is the "savehelper.cpp" which actually
does nothing:
```
ActionReply SaveHelper::save(const QVariantMap &args)
{
Q_UNUSED(args);
const qint64 uid = QCoreApplication::applicationPid();
qDebug() << "executing uid=" << uid;
return ActionReply::SuccessReply();
}
```
@christophe: can you please reach out to upstream and ask them to simply drop
unused D-Bus / Kauth helpers and Polkit actions? This would make all our lives
easier. Thanks.
(In reply to Matthias Gerstner from comment #4) > > @christophe: can you please reach out to upstream and ask them to simply drop > unused D-Bus / Kauth helpers and Polkit actions? This would make all our > lives > easier. Thanks. Done: https://invent.kde.org/utilities/kwalletmanager/-/issues/4 The explanation for the existence of this helper in the upstream issue mentioned in comment 5 is not very convincing. I really don't want to whitelist such code. If upstream doesn't want to drop this then You can patch out the helper and the client code invoking it. This is not adding to security, it is only increasing complexity. (In reply to Matthias Gerstner from comment #6) > I really don't want to whitelist such code. If upstream doesn't want to drop > this then You can patch out the helper and the client code invoking it. This > is not adding to security, it is only increasing complexity. I'm working on it. https://build.opensuse.org/request/show/1146930 drops the kauth usage. done, should we close the bug with RESOLVED/WONTFIX? (In reply to christophe@krop.fr from comment #8) > done, should we close the bug with RESOLVED/WONTFIX? Well, you already did it, but it's all right with me. Maybe you add some clarification to the patch. It now sounds like we're disabling a security feature without giving any reasoning. The reasoning is that the KAuth helper is useless and does not add to security. If upstream KDE really worries about this strange scenario then they could just as well run something like `sudo -U $USERNAME true` and achieve the same result without shipping a fake kauth service helper and routing all of this through D-Bus for nothing. (In reply to Matthias Gerstner from comment #9) > Maybe you add some clarification to the patch. It now sounds like we're > disabling a security feature without giving any reasoning. The reasoning is > that the KAuth helper is useless and does not add to security. > done |