1217184 – AUDIT-WHITELIST: plasma6-desktop: new revision of D-Bus service org.kde.kcontrol.kcmclock.conf

Bug 1217184 - AUDIT-WHITELIST: plasma6-desktop: new revision of D-Bus service org.kde.kcontrol.kcmclock.conf

Summary: AUDIT-WHITELIST: plasma6-desktop: new revision of D-Bus service org.kde.kcont...

Status:	RESOLVED FIXED

Alias:	None

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Audits (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P5 - None Severity: Normal
Target Milestone:	---
Assignee:	Matthias Gerstner
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	1217076
	Show dependency tree / graph

Clone This Bug

Reported:	2023-11-15 13:04 UTC by Matthias Gerstner
Modified:	2024-02-21 14:46 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 1 Matthias Gerstner 2023-11-30 12:58:25 UTC

I made a mistake when splitting off this bug, the description in comment 0 is
wrong, there is the correct one:

plasma6-desktop will coexist (but won't be coinstallable) with plasma5-desktop
(I didn't find the related plasma5 report) and returns:

- plasma6-desktop.x86_64: E: dbus-file-unauthorized (Badness: 10) /usr/share/dbus-1/system.d/org.kde.kcontrol.kcmclock.conf
- plasma6-desktop.x86_64: E: dbus-file-unauthorized (Badness: 10) /usr/share/dbus-1/system-services/org.kde.kcontrol.kcmclock.service

The according package is found in KDE:Unstable:Frameworks/plasma6-desktop

Comment 2 Matthias Gerstner 2023-11-30 13:06:10 UTC

I will work on this one as well.

Comment 3 Matthias Gerstner 2023-11-30 14:49:26 UTC

This kauth helper is also small. It allows to change time, date, timezone and
ntp settings.

This all happens via a single D-Bus method call which is a bit packed. The
code is accordingly a bit difficult to follow, since it needs to deal with all
kind of different situations like: change NTP and timezone but not time and
date.

From the timezone string provided a path beneath /usr/share/timezone is
constructed, but luckily no "." characters are allowed in the string.
Otherwise it would have been possible to escape this directory.

This API always should stick to the `auth_admin` Polkit setting, as it allows
pretty drastic system configuration changes.

I couldn't find any actual security issues so we can whitelist it. Like with
the other bugs we will have another look at the package once the KDE6 release
draws near.

The upstream Git commit I looked into now was 74ab6a096.

Comment 4 Matthias Gerstner 2024-02-13 14:38:34 UTC

The package to be submitted is now found in KDE:Frameworks/plasma6-desktop. It
contains version 5.93.0.

The kcmclock helper has not seen any relevant changes to its code since the
review happened.

This is ready for whitelisting.

Comment 5 Filippo Bonazzi 2024-02-14 15:34:12 UTC

The build is failing, so this package is likely to change again. Perhaps the reviewed components will not need to change

Comment 6 Christophe Marin 2024-02-14 17:55:45 UTC

(In reply to Filippo Bonazzi from comment #5)
> The build is failing, so this package is likely to change again. Perhaps the
> reviewed components will not need to change

which build?
https://build.opensuse.org/package/show/KDE:Frameworks/plasma6-desktop is green

Comment 7 Filippo Bonazzi 2024-02-15 07:00:21 UTC

I looked at https://build.opensuse.org/package/show/KDE:Unstable:Frameworks/plasma6-desktop yesterday and it was broken. I noticed now I should have been looking at https://build.opensuse.org/package/show/KDE:Frameworks/plasma6-desktop. The Factory submissions will come from this second project I assume? That's my bad

Comment 9 Matthias Gerstner 2024-02-21 14:46:40 UTC

The whitelisting is in Factory now. Closing as fixed.