Bug 804185

Summary: AUDIT-1: spice-gtk: polkit-unauthorized-privilege
Product: [Novell Products] SUSE Security Incidents Reporter: Dominique Leuenberger <dimstar>
Component: AuditsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: meissner
Version: unspecified   
Target Milestone: unspecified   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Dominique Leuenberger 2013-02-17 17:03:18 UTC 
An update version of spice-gtk has been prepared in the Virtualization project (Current version 0.18)

The build currently 'fails' due to missing/unauthorized polkit privileges:

[  209s] (none): E: badness 10000 exceeds threshold 1000, aborting.
[  209s] spice-gtk.x86_64: E: polkit-unauthorized-privilege (Badness: 10000) org.spice-space.lowlevelusbaccess (??:no:yes)
[  209s] The package allows unprivileged users to carry out privileged operations
[  209s] without authentication. This could cause security problems if not done
[  209s] carefully. If the package is intended for inclusion in any SUSE product please
[  209s] open a bug report to request review of the package by the security tea

Kinldy review and grant the privilege.
Comment 1 Marcus Meissner 2013-02-18 08:01:56 UTC 
lowlevel usb access?

for what kind of devices?
Comment 2 Dominique Leuenberger 2013-02-18 08:12:12 UTC 
(In reply to comment #1)
> lowlevel usb access?
> 
> for what kind of devices?

From what I understand, any device (in order to redirect them to the virtual machines)
Comment 3 Sebastian Krahmer 2013-02-18 09:31:30 UTC 
Please see bnc#744251 , I dont think that the complexity and quality
is getting better.
Comment 4 Dominique Leuenberger 2013-03-09 22:03:16 UTC 
I changed the policy in spice-gtk to be auth_admin: so it remains the users responsibility to allow execution or not...

Package can be found in GNOME:Next / spice-gtk
Comment 5 Sebastian Krahmer 2013-05-28 08:56:38 UTC 
But there was the problem of the package also bringing a new
suid binary. Still the case?
Comment 6 Thomas Biege 2013-06-27 04:06:53 UTC 
Dominique, can you help here please? Thanks.
Comment 7 Dominique Leuenberger 2013-06-27 05:23:09 UTC 
(In reply to comment #5)
> But there was the problem of the package also bringing a new
> suid binary. Still the case?

Yes, this is still the case... the .spec file contains:

> grep spice-client-glib-usb *spec
# FIXME: /usr/bin/spice-client-glib-usb-acl-helper should be installed u+s, see bnc#744251.
%set_permissions %{_bindir}/spice-client-glib-usb-acl-helper
%verify_permissions -e %{_bindir}/spice-client-glib-usb-acl-helper
%attr(755,root,root) %{_bindir}/spice-client-glib-usb-acl-helper

The spice-gtk Makefile still has the code to install this file u+s
Comment 8 Sebastian Krahmer 2013-07-15 14:03:38 UTC 
We wont accept a new suid binary.
Comment 9 Sebastian Krahmer 2013-07-22 09:55:53 UTC 
marked for training
Comment 10 Matthias Gerstner 2018-03-13 11:06:33 UTC 
This package already "slipped" into factory by way of auth_admin only
classification. Since we are about to tighten the rpmlint rules it has now
been part of the "amnesty whitelisting" and I have opened a new audit bug
1083025. There we will only check whether the admin authorization is correctly
implemented.

Therefore closing this bug.