Bug 1033292 - AUDIT-0: kcm_sddm: new DBus service org.kde.kcontrol.kcmsddm.service
Summary: AUDIT-0: kcm_sddm: new DBus service org.kde.kcontrol.kcmsddm.service
Status: RESOLVED FIXED
Alias: None
Product: openSUSE Distribution
Classification: openSUSE
Component: Security (show other bugs)
Version: Leap 42.2
Hardware: Other Other
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: Security Team bot
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-04-10 15:04 UTC by Matthias Gerstner
Modified: 2017-05-17 13:42 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Gerstner 2017-04-10 15:04:00 UTC 
It's come to the attention of the security team that the package
KDE:Frameworks5/kcm_sddm slipped into openSUSE:Factory and openSUSE:Leap
42.{1,2} without going through a proper DBus/polkit review.

It is against policy to override the rpmlint messages for DBus/polkit via
rpmlintrc.

Part of this was already reviewed in bug 904313 it seems. The service seems to
have been extended with new methods and privileges.
Comment 1 Sebastian Krahmer 2017-05-17 07:45:33 UTC 
taking this bug
Comment 2 Sebastian Krahmer 2017-05-17 13:42:49 UTC 
Looks like we have the 'save' polkit action as auth_admin.

The other actions (installtheme) were not yet requested, so
we wont whitelist them yet. Nothing of the code should be called
without admin privileges; so we should be fine with our config.

closing bug