Bug 1217706 - AUDIT-WHITELIST: plasma-branding-Kalpa: Review of sudoers file 50-kalpa
Summary: AUDIT-WHITELIST: plasma-branding-Kalpa: Review of sudoers file 50-kalpa
Status: RESOLVED FIXED
Alias: None
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security (show other bugs)
Version: Current
Hardware: Other Other
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: Matthias Gerstner
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-11-30 16:25 UTC by Shawn Dunn
Modified: 2024-02-19 13:00 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Shawn Dunn 2023-11-30 16:25:48 UTC 
For my package found in OBS in devel:microos:kalpa:plasma-branding-Kalpa I would like a whitelisting for the following rpmlint error:

[   14s] plasma-branding-Kalpa.noarch: E: sudoers-file-unauthorized (Badness: 10) /etc/sudoers.d/50-kalpa (sha256 file digest default filter:554ad7ffea09c0c9bed71f6ef7621e729d9d5368175b6e3b0e29214531d14c39 shell filter:554ad7ffea09c0c9bed71f6ef7621e729d9d5368175b6e3b0e29214531d14c39 xml filter:<failed-to-calculate>)
[   14s] Packaging sudoers.d drop-in configuration files requires a review and
[   14s] whitelisting by the SUSE security team. If the package is intended for
[   14s] inclusion in any SUSE product please open a bug report to request review of
[   14s] the package by the security team. Please refer to
[   14s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for
[   14s] more information.
Comment 1 Matthias Gerstner 2023-12-01 09:36:24 UTC 
Thanks for opening the review bug.

This sudoers file wants:

```
Defaults:%wheel !targetpw
%wheel ALL = (root) ALL
```

So a wheel group based authentication. In bug 1215276 something very similar
was done for openSUSE Aeon.
Comment 2 Shawn Dunn 2023-12-01 16:02:27 UTC 
Yes, Aeon and Kalpa are following similar design ideas.
Comment 3 Matthias Gerstner 2023-12-08 11:45:13 UTC 
I will whitelist this once the issue in bug 1217707 is addressed.
Comment 4 Matthias Gerstner 2023-12-11 14:54:39 UTC 
we started the whitelisting process and a submission is on its way to Factory.
Comment 5 OBSbugzilla Bot 2023-12-11 15:25:01 UTC 
This is an autogenerated message for OBS integration:
This bug (1217706) was mentioned in
https://build.opensuse.org/request/show/1132520 Factory / rpmlint
Comment 6 OBSbugzilla Bot 2023-12-14 17:35:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1217706) was mentioned in
https://build.opensuse.org/request/show/1133150 Factory / rpmlint
Comment 7 Matthias Gerstner 2024-01-08 09:50:51 UTC 
The whitelisting should be effective by now. Closing as fixed.