1220862 – AUDIT-WHITELIST: gnome-control-center: polkit-untracked-privilege org.gnome.controlcenter.remote-session-helper

Bug 1220862 - AUDIT-WHITELIST: gnome-control-center: polkit-untracked-privilege org.gnome.controlcenter.remote-session-helper

Summary: AUDIT-WHITELIST: gnome-control-center: polkit-untracked-privilege org.gnome.c...

Status:	RESOLVED FIXED

Alias:	None

Product:	openSUSE Tumbleweed
Classification:	openSUSE
Component:	Security (show other bugs)
Version:	Current
Hardware:	Other Other

Priority:	P5 - None Severity: Normal (vote)
Target Milestone:	---
Assignee:	Matthias Gerstner
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-03-04 11:38 UTC by Dominique Leuenberger
Modified:	2024-03-27 11:01 UTC (History)
CC List:	0 users

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dominique Leuenberger 2024-03-04 11:38:38 UTC

This weekend, GNOME 46.rc has been released

gnome-control-center has a new polkit helper showing up:

[  122s] gnome-control-center.x86_64: E: polkit-untracked-privilege (Badness: 10000) org.gnome.controlcenter.remote-session-helper (no:no:auth_admin_keep)
[  122s] The polkit action is not listed in the polkit-default-privs profiles which
[  122s] makes it harder for admins to find. Furthermore improper polkit authorization
[  122s] checks can easily introduce security issues. If the package is intended for
[  122s] inclusion in any SUSE product please open a bug report to request review of
[  122s] the package by the security team. Please refer to
[  122s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for
[  122s] more information.

The package can be found in GNOME:Next gnome-control-center

Comment 1 Matthias Gerstner 2024-03-05 14:59:11 UTC

This is used to enable a remote-desktop login service. It existed before
already based on `pkexec` but has been changed:

    commit 944f415215deb23d34c3ab06e0044585e741d31c
    Author: Brandon Nielsen <nielsenb@jetfuse.net>
    Date:   Tue Jul 18 10:25:21 2023 -0500

    Drop dependency on pkexec

    Based on discussion on fedora-devel[0][1] drop the use of pkexec. pkexec
    was used only for starting / stopping / enabling / disabling the sshd
    service via systemd.

    This changes the "org.gnome.controlcenter.remote-login-helper" policy to
    request the necessary systemd permissions, and changes to using polkit
    to request the permission, then making the dbus calls once the
    permission is acquired.

Consequently the newly introduced Polkit policy implicitly adds permissions to
meddle with systemd:

    <action id="org.gnome.controlcenter.remote-session-helper">
    <description>Enable or disable remote sessions</description>
      <message>Authentication is required to enable or disable remote sessions</message>
      <defaults>
        <allow_any>no</allow_any>
        <allow_inactive>no</allow_inactive>
        <allow_active>auth_admin_keep</allow_active>
      </defaults>
      <annotate key="org.freedesktop.policykit.imply">org.freedesktop.systemd1.manage-units org.freedesktop.systemd1.manage-unit-files org.gnome.remotedesktop.configure-system-daemon</annotate>
    </action>

These are pretty strong privileges. The code deals properly with systemd
though.

We can whitelist the new action.

Comment 2 Matthias Gerstner 2024-03-11 11:00:13 UTC

whitelisting is in progress

Comment 3 Matthias Gerstner 2024-03-27 11:01:01 UTC

This is now in Factory. Closing as fixed.