Bugzilla – Bug 1215652
AUDIT-0: polkit: please whitelist polkit rule change
Last modified: 2023-12-08 12:11:43 UTC
https://build.opensuse.org/request/show/1112333 see jsc#PED-260 [ 52s] polkit.x86_64: E: polkit-file-digest-mismatch (Badness: 10000) /usr/share/polkit-1/rules.d/50-default.rules expected sha256:aea3041de2c15db8683620de8533206e50241c309eb27893605d5ead17e5e75f, has:3b5781af8a450c5184c7a2d5408f4af7d3c65f23548ee0962ad0eabb70072c32 [ 52s] A polkit rule file changed in content. Packaging polkit rules requires a [ 52s] review and whitelisting by the SUSE security team. If the package is intended [ 52s] for inclusion in any SUSE product please open a bug report to request review [ 52s] of the package by the security team. Please refer to [ 52s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for [ 52s] more information.
Thank you for the report. We will schedule this task within our team shortly.
This looks sensible in general. The only remaining question is whether or where `polkit._suse_admin_groups = []` will be set to a different value.
Planned to be used by sudo. Probably makes sense to add the checksums for those files already too: https://build.opensuse.org/package/rdiff/home:ohollmann:branches:Remove-targetpw/sudo?opackage=sudo&oproject=Base%3ASystem&rev=14 It's 51-sudo.rules and 51-wheel.rules with checksum 6fa951c8cb81606a10bd82e6ef8e260e98cc84e68e9a49310a8a670889e31b4d
pardon f771f054dff80233218bb658419bed786dfc30ca35ea0d3cd1ed4855be8ae4fd ./usr/share/polkit-1/rules.d/51-sudo.rules 6fa951c8cb81606a10bd82e6ef8e260e98cc84e68e9a49310a8a670889e31b4d ./usr/share/polkit-1/rules.d/51-wheel.rules
I'm not quite sure about this line in the for loop: > rules.push("unix-group:"+g); So if the caller is in one of the groups then only its own account is eligible as admin. But if this is not the case then any members of that group are eligible as admin. So what is this supposed to do? When there are accounts A and B which are members of an admin group and an account C which is not a member of an admin group, then C may authenticate as either A or B or root to gain admin? I tried to reproduce this behaviour but somehow it doesn't work, Polkit always wants to authenticate as root, there is no user selection or anything.
yes, I saw it behave as you describe. polkit shows a dialog that allows to select admin accounts to authenticate as. You could try launching polkitd manually in a shell to see it's debug output. maybe it gives some clues
(In reply to lnussel@suse.com from comment #6) > yes, I saw it behave as you describe. polkit shows a dialog that allows to select admin accounts to authenticate as. You could try launching polkitd manually in a shell to see it's debug output. maybe it gives some clues If you've seen it work then this is good enough for me. Good to go for the whitelisting @wfrisch.
https://build.opensuse.org/request/show/1125677
This is an autogenerated message for OBS integration: This bug (1215652) was mentioned in https://build.opensuse.org/request/show/1126560 Factory / rpmlint
The whitelisting has been in Factory for a while now. Closing as FIXED.