Bugzilla – Bug 1226306
AUDIT-WHITELIST: kdeplasma-addons: review of D-Bus service org.kde.kameleonhelper
Last modified: 2024-07-19 07:44:01 UTC
KDE Plasma 6.1 ships a new kded module that allows automatic control of RGB LEDs to match the desktop color scheme. Package (git build) can be found at https://build.opensuse.org/package/show/KDE:Unstable:Frameworks/kdeplasma6-addons. rpmlint message: [ 185s] kdeplasma6-addons.i586: E: dbus-file-unauthorized (Badness: 10) /usr/share/dbus-1/system.d/org.kde.kameleonhelper.conf (sha256 file digest default filter:864c70a8676869ee553d43a9884cd6b067cbd87838f39d8a2f9fed639d5b1774 shell filter:6b269af23963927202767deacadcda10db531bde4136fc8a3ace0ada82ecafae xml filter:f9c8290a4e53a251b5405f0a04676b222866c9d0463e0d5e16d020657ec335cb) [ 185s] kdeplasma6-addons.i586: E: dbus-file-unauthorized (Badness: 10) /usr/share/dbus-1/system-services/org.kde.kameleonhelper.service (sha256 file digest default filter:85e17072d140148cf4cb4186389f5dd6a24c56fbae76c5392504b9062560e0f6 shell filter:85e17072d140148cf4cb4186389f5dd6a24c56fbae76c5392504b9062560e0f6 xml filter:<failed-to-calculate>) Code: https://invent.kde.org/plasma/kdeplasma-addons/-/blob/master/kdeds/kameleon/kameleonhelper.cpp?ref_type=heads I already had a look and sent a MR with some improvements: https://invent.kde.org/plasma/kdeplasma-addons/-/merge_requests/598
Thanks for the bug report. We will schedule it in our team shortly.
This is rather small, the helper code consists of 300 lines of code. I will look into it.
There's only one `writecolor()` D-Bus method that is accessible without authentication for locally logged in users. The implementation is a bit peculiar in some spots: > KAuth::ActionReply KameleonHelper::writecolor(const QVariantMap &args) > { > QStringList devices = args.value(QStringLiteral("devices")).toStringList(); > QStringList colors = args.value(QStringLiteral("colors")).toStringList(); > if (devices.length() != colors.length()) { > qCWarning(KAMELEONHELPER) << "lists of devices and colors do not match in length"; > return KAuth::ActionReply::HelperErrorReply(); > } > for (int i = 0; i < devices.length(); ++i) { > QString device = devices.at(i); no need to use the more costly at(i) when it's already clear that the length is correct, operator[] would be easier to read here. Since this is the kauth D-Bus API I don't see why there's two separate lists for devices and colors. It could be a list of pairs or a map, to avoid having to sync up both lists with each other. > if (device.contains(QLatin1String(".."))) { > qCWarning(KAMELEONHELPER) << "invalid character sequence '..' for device" << device; > return KAuth::ActionReply::HelperErrorReply(); > } This bit is important to avoid escaping the /sys path below. But I would like it better if any "/" characters would be rejected as well. The way it currently is done the caller could still select an unexpected sub-directory within the /sys/class/led tree, which has symlinks pointing around in the sysfs hierarchy. > QByteArray color = colors.at(i).toUtf8(); > if (!(color.length() >= QByteArray("0 0 0").length() && color.length() <= QByteArray("255 255 255").length())) { > qCWarning(KAMELEONHELPER) << "invalid RGB color" << color << "for device" << device; > return KAuth::ActionReply::HelperErrorReply(); > } This seems to be akind of minimal syntax check, but such checks should be left to the kernel device driver, and not be reproduced in userspace. Also the inverted if clause is rather hard to read. > QFile file(LED_SYSFS_PATH + device + LED_RGB_FILE); > if (!QFileInfo(file).exists()) { > qCWarning(KAMELEONHELPER) << "writing to" << file.fileName() << "failed:" > << "file does not exist"; > return KAuth::ActionReply::HelperErrorReply(); > } > if (!QFileInfo(file).isWritable()) { > qCWarning(KAMELEONHELPER) << "writing to" << file.fileName() << "failed:" > << "file is not writable"; > return KAuth::ActionReply::HelperErrorReply(); > } Similarly here it should be left to the kernel to decide whether the file exists and whether it is writable. There's no real value in doing these (possibly racy) checks before actually opening the file. > if (!file.open(QIODevice::WriteOnly)) { > qCWarning(KAMELEONHELPER) << "writing to" << file.fileName() << "failed:" << file.error() << file.errorString(); > return KAuth::ActionReply::HelperErrorReply(); > } > const int bytesWritten = file.write(color); > if (bytesWritten == -1) { > qCWarning(KAMELEONHELPER) << "writing to" << file.fileName() << "failed:" << file.error() << file.errorString(); > return KAuth::ActionReply::HelperErrorReply(); > } > qCDebug(KAMELEONHELPER) << "wrote" << color << "to" << device; > } > > return KAuth::ActionReply::SuccessReply(); > } None if this is critical for security, though, so I'll whitelisting the helper.
This is an autogenerated message for OBS integration: This bug (1226306) was mentioned in https://build.opensuse.org/request/show/1186321 Factory / polkit-default-privs
The whitelisting is in place by now. Closing as fixed. You might want to forward the nots in comment 3 to upstream, the helper code could still use some love.
(In reply to Matthias Gerstner from comment #5) > The whitelisting is in place by now. Closing as fixed. > > You might want to forward the nots in comment 3 to upstream, the helper code > could still use some love. See the initial report, I already made an MR to fix those: > I already had a look and sent a MR with some improvements: > https://invent.kde.org/plasma/kdeplasma-addons/-/merge_requests/598