Bug 1199735 - AUDIT-WHITELIST: kinfocenter5: New kauth service org.kde.kinfocenter.dmidecode
Summary: AUDIT-WHITELIST: kinfocenter5: New kauth service org.kde.kinfocenter.dmidecode
Status: RESOLVED FIXED
Alias: None
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security (show other bugs)
Version: Current
Hardware: Other Other
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: Wolfgang Frisch
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 1209378
  Show dependency treegraph
 
Reported: 2022-05-19 20:28 UTC by Fabian Vogt
Modified: 2024-03-13 09:21 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Fabian Vogt 2022-05-19 20:28:57 UTC 
With Plasma 5.25, kinfocenter gained a new dmidecode kauth helper which allows users (without additional authorization) to read the system manufacturer, product name, version and serial number.

Package: https://build.opensuse.org/package/live_build_log/KDE:Unstable:Frameworks/kinfocenter5/openSUSE_Factory/x86_64

rpmlint warnings:

[  246s] kinfocenter5.x86_64: E: polkit-user-privilege (Badness: 10) org.kde.kinfocenter.dmidecode.systeminformation (no:yes:yes)
[  246s] The package allows unprivileged users to carry out privileged operations
[  246s] without root authentication. This could cause security problems if not done
[  246s] carefully. If the package is intended for inclusion in any SUSE product please
[  246s] open a bug report to request review of the package by the security team.
[  246s] Please refer to
[  246s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for
[  246s] more information.
[  246s] kinfocenter5.x86_64: E: dbus-file-unauthorized (Badness: 10) /usr/share/dbus-1/system-services/org.kde.kinfocenter.dmidecode.service (file digest sha256:746f98ec0b4d3ad3fbf71004a55be1f56a74d37a92cb881c7fe266860a1b82ef)
[  246s] kinfocenter5.x86_64: E: dbus-file-unauthorized (Badness: 10) /usr/share/dbus-1/system.d/org.kde.kinfocenter.dmidecode.conf (file digest sha256:c476dd629042913ae8c3b9f79a5eaed89c1f35d29776346064a2b58d8b470f77)
[  246s] Packaging D-Bus services requires a review and whitelisting by the SUSE
[  246s] security team. If the package is intended for inclusion in any SUSE product
[  246s] please open a bug report to request review of the package by the security
[  246s] team. Please refer to
[  246s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for
[  246s] more information.

Code: https://invent.kde.org/plasma/kinfocenter/-/tree/Plasma/5.25/Modules/about-distro/src/dmidecode-helper
Comment 1 Matthias Gerstner 2022-05-20 07:58:50 UTC 
Thanks for opening the bug. We'll schedule the review.
Comment 2 Matthias Gerstner 2022-05-20 12:00:21 UTC 
This new D-Bus helper is trivial. It only implements a single function call
without input parameters that in turn invokes "dmidecode" from one of the
trusted system bin directories to retrieve information about
"system-manufacturer", "system-product-name", "system-version" and
"system-serial-number".

The sub process is created using QProcess and thus not passing through the
shell. There are also no dynamic parameters passed to dmidecode. The resulting
output is returned to the caller via D-Bus.

Active and inactive sessions are allowed to invoke this method without
authentication, users without a session may not invoke it.

It seems safe and sound to me, we can whitelist it.
Comment 3 Matthias Gerstner 2022-05-23 12:43:40 UTC 
Assigning to Wolfgang for whitelisting
Comment 5 Wolfgang Frisch 2022-05-31 11:43:43 UTC 
Resolved.