Bugzilla – Bug 1186845
AUDIT-TRACKER: cinnamon-settings-daemon: Request review for polkit-unauthorized-privilege and polkit-cant-acquire-privilege
Last modified: 2024-03-13 09:21:07 UTC
Request for review cinnamon-settings-daemon. I update cinnamon-settings-daemon to version 5.0.0 and will submit to X11:Cinnamon:Factory and Factory. https://build.opensuse.org/package/show/home:andythe_great:branches:X11:Cinnamon:Factory/cinnamon-settings-daemon RPMLINT report [ 44s] RPMLINT report: [ 44s] =============== [ 46s] cinnamon-settings-daemon.x86_64: I: polkit-cant-acquire-privilege org.cinnamon.settings-daemon.plugins.wacom.wacom-led-helper (no:no:yes) [ 46s] Usability can be improved by allowing users to acquire privileges via [ 46s] authentication. Use e.g. 'auth_admin' instead of 'no' and make sure to [ 46s] define 'allow_any'. This is an issue only if the privilege is not [ 46s] listed in /etc/polkit-default-privs.* [ 46s] [ 46s] cinnamon-settings-daemon.x86_64: W: non-etc-or-var-file-marked-as-conffile /usr/share/dbus-1/system.d/org.cinnamon.SettingsDaemon.DateTimeMechanism.conf [ 46s] A file not in /etc or /var is marked as being a configuration file. Please put [ 46s] your conf files in /etc or /var. [ 46s] [ 46s] cinnamon-settings-daemon.x86_64: E: polkit-unauthorized-privilege (Badness: 10) org.cinnamon.settings-daemon.plugins.wacom.wacom-led-helper (no:no:yes) [ 46s] The package allows unprivileged users to carry out privileged [ 46s] operations without authentication. This could cause security problems [ 46s] if not done carefully. If the package is intended for inclusion in any [ 46s] SUSE product please open a bug report to request review of the package [ 46s] by the security team. Please refer to [ 46s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs [ 46s] for more information. [ 46s] [ 46s] 3 packages and 0 specfiles checked; 1 errors, 1 warnings. Kind Regards, Andy
## About this package `cinnamon-settings-daemon` is a daemon and a collection of plug-ins for the Cinnamon desktop, that allows the user to configure various settings, including hardware settings. Version 4.8.5 is already packaged in openSUSE. [Upstream repository](git clone https://github.com/linuxmint/cinnamon-settings-daemon.git) ## Changes from 4.8.5 to 5.0.0 [git diff 4.8.5 5.0.0](https://github.com/linuxmint/cinnamon-settings-daemon/compare/4.8.5...5.0.0) There aren't many noteworthy changes in the code itself. The code that triggered the rpmlint whitelisting error has actually been present for quite some time, but laid dormant, since the old .spec did not include the optional build dependency on `xf86-input-wacom-devel`: >-BuildRequires: xf86-input-wacom >+BuildRequires: xf86-input-wacom-devel This additional build dependency enabled an older code path that requires polkit permissions to code as root that configures the LEDs of Wacom tablets. ## plugins/wacom/ The privileged part of the plugin is encapsulated in a program `csd-wacom-led-helper` that runs as root, via pkexec by `csd-wacom-manager.c` This helper program accepts 3 command-line arguments: * Two integers, validated by the glib options parser. * A file path that's supposed to point to a Wacom tablet device. The path is validated with a call to the libgudev function `g_udev_client_query_by_device_file` before any I/O is performed. If the path argument points to a Wacom tablet, it then writes to its device and sets the LED status. ## Conclusion There's no obvious attack surface. I intend to whitelist this package next week, after I took a second look at it.
Whitelisting in progress. I will close the bug once the process is complete.
Thank for your help.
https://build.opensuse.org/request/show/900117
warnings are gone in Factory, should be done