Bug 1090963 - AUDIT-0: cinnamon: new polkit policies org.cinnamon.schema-{install,remove}
Summary: AUDIT-0: cinnamon: new polkit policies org.cinnamon.schema-{install,remove}
Status: RESOLVED INVALID
Alias: None
Product: SUSE Security Incidents
Classification: Novell Products
Component: Audits (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Normal
Target Milestone: unspecified
Assignee: Alexei Sorokin
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-04-25 19:11 UTC by Alexei Sorokin
Modified: 2018-07-02 14:26 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexei Sorokin 2018-04-25 19:11:20 UTC 
In cinnamon 3.8.0 new polkit policies have been added: org.cinnamon.schema-install and org.cinnamon.schema-remove, causing:
> cinnamon.x86_64: E: polkit-untracked-privilege (Badness: 10000) org.cinnamon.schema-install (no:no:auth_admin_keep)
> cinnamon.x86_64: E: polkit-untracked-privilege (Badness: 10000) org.cinnamon.schema-remove (no:no:auth_admin_keep)

The package is https://build.opensuse.org/package/show/X11:Cinnamon:Factory/cinnamon
Comment 1 Matthias Gerstner 2018-06-25 16:08:06 UTC 
I will be working on this now.
Comment 2 Matthias Gerstner 2018-06-26 12:31:02 UTC 
I am not very happy with these polkit rules. They allow to execute
/usr/bin/cinnamon-schema-install and /usr/bin/cinnamon-schema-remove as root,
after entering the admin password.

First of all I am not quite sure why the user needs to install a gsettings
schema into the system anyways. It is probably tied to the Cinnamon extensions
and applets but shouldn't it be possible to keep that in the user's home
directory?

The cinnamon extensions seem not to be verified via signatures or anything, so
the only security seems to come from the fact that the cinnamon website, where
extensions are offered, is SSL verified.

The python scripts /usr/bin/cinnamon-schema-* are naively implemented and run
through the shell. They don't verify their input arguments, wildcards and path
components can be passed. I can't whitelist them in this form.

I will try to open an upstream pull request with improved scripts that are
more acceptable.
Comment 3 Matthias Gerstner 2018-06-26 14:55:18 UTC 
I just created a pull request for a more secure script implementation:

https://github.com/linuxmint/Cinnamon/pull/7670
Comment 4 Matthias Gerstner 2018-06-28 09:38:17 UTC 
So instead of accepting my pull request, the upstream discussion resulted in
removal of this functionality. It looks like they can install the schemas into
the user's home directory after all. I think this is best for security
anyways.

So for packaging this means the following:

- you can update to the next upstream release without this polkit rule and
  consequently close this bug.
- you can still apply my patch from the pull request and I can whitelist this
  rule. But I don't think we should do that.

Actually a whitelisting is technically not even here. These rules just allow
to cache the root authentication, but without the rules the functionality
would still work just without caching.

Assigning this bug back to you, Alexei.
Comment 5 Alexei Sorokin 2018-07-02 14:26:00 UTC 
Closing.