Bug 1220862

Summary: AUDIT-WHITELIST: gnome-control-center: polkit-untracked-privilege org.gnome.controlcenter.remote-session-helper
Product: [openSUSE] openSUSE Tumbleweed Reporter: Dominique Leuenberger <dimstar>
Component: SecurityAssignee: Matthias Gerstner <matthias.gerstner>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None    
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Dominique Leuenberger 2024-03-04 11:38:38 UTC 
This weekend, GNOME 46.rc has been released

gnome-control-center has a new polkit helper showing up:

[  122s] gnome-control-center.x86_64: E: polkit-untracked-privilege (Badness: 10000) org.gnome.controlcenter.remote-session-helper (no:no:auth_admin_keep)
[  122s] The polkit action is not listed in the polkit-default-privs profiles which
[  122s] makes it harder for admins to find. Furthermore improper polkit authorization
[  122s] checks can easily introduce security issues. If the package is intended for
[  122s] inclusion in any SUSE product please open a bug report to request review of
[  122s] the package by the security team. Please refer to
[  122s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for
[  122s] more information.

The package can be found in GNOME:Next gnome-control-center
Comment 1 Matthias Gerstner 2024-03-05 14:59:11 UTC 
This is used to enable a remote-desktop login service. It existed before
already based on `pkexec` but has been changed:

    commit 944f415215deb23d34c3ab06e0044585e741d31c
    Author: Brandon Nielsen <nielsenb@jetfuse.net>
    Date:   Tue Jul 18 10:25:21 2023 -0500

    Drop dependency on pkexec

    Based on discussion on fedora-devel[0][1] drop the use of pkexec. pkexec
    was used only for starting / stopping / enabling / disabling the sshd
    service via systemd.

    This changes the "org.gnome.controlcenter.remote-login-helper" policy to
    request the necessary systemd permissions, and changes to using polkit
    to request the permission, then making the dbus calls once the
    permission is acquired.

Consequently the newly introduced Polkit policy implicitly adds permissions to
meddle with systemd:

    <action id="org.gnome.controlcenter.remote-session-helper">
    <description>Enable or disable remote sessions</description>
      <message>Authentication is required to enable or disable remote sessions</message>
      <defaults>
        <allow_any>no</allow_any>
        <allow_inactive>no</allow_inactive>
        <allow_active>auth_admin_keep</allow_active>
      </defaults>
      <annotate key="org.freedesktop.policykit.imply">org.freedesktop.systemd1.manage-units org.freedesktop.systemd1.manage-unit-files org.gnome.remotedesktop.configure-system-daemon</annotate>
    </action>

These are pretty strong privileges. The code deals properly with systemd
though.

We can whitelist the new action.
Comment 2 Matthias Gerstner 2024-03-11 11:00:13 UTC 
whitelisting is in progress
Comment 3 Matthias Gerstner 2024-03-27 11:01:01 UTC 
This is now in Factory. Closing as fixed.