Bug 849739 - AUDIT-0: kwalletmanager: Security Review requested due to suse-dbus-unauthorized-service, polkit-untracked-privilege and polkit-cant-acquire-privilege
Summary: AUDIT-0: kwalletmanager: Security Review requested due to suse-dbus-unauthori...
Status: RESOLVED FIXED
Alias: None
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security (show other bugs)
Version: 13.2 Milestone 0
Hardware: Other Other
: P5 - None : Major (vote)
Target Milestone: ---
Assignee: Security Team bot
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-11-10 01:50 UTC by Forgotten User DV81ZEWZkN
Modified: 2015-01-29 16:54 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Forgotten User DV81ZEWZkN 2013-11-10 01:50:05 UTC 
User-Agent:       Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36 SUSE/31.0.1650.48

Due to changes in kwalletmanager for KDE's 4.12 release, we're requesting whitelisting the following:

kwalletmanager.i586: E: suse-dbus-unauthorized-service (Badness: 100) /usr/share/dbus-1/system-services/org.kde.kcontrol.kcmkwallet.service
kwalletmanager.i586: E: suse-dbus-unauthorized-service (Badness: 100) /etc/dbus-1/system.d/org.kde.kcontrol.kcmkwallet.conf
The package installs a DBUS system service file. If the package is intended
for inclusion in any SUSE product please open a bug report to request review
of the service by the security team.

kwalletmanager.i586: E: polkit-unauthorized-privilege (Badness: 100) org.kde.kcontrol.kcmkwallet.save (??:no:auth_self_keep)
The package allows unprivileged users to carry out privileged operations
without authentication. This could cause security problems if not done
carefully. If the package is intended for inclusion in any SUSE product please
open a bug report to request review of the package by the security team

kwalletmanager.i586: I: polkit-cant-acquire-privilege org.kde.kcontrol.kcmkwallet.save (??:no:auth_self_keep)
Usability can be improved by allowing users to acquire privileges via
authentication. Use e.g. 'auth_admin' instead of 'no' and make sure to define
'allow_any'. This is an issue only if the privilege is not listed in /etc
/polkit-default-privs.*



Changes are introduced with this commit:
http://quickgit.kde.org/?p=kwallet.git&a=commit&h=717f925b77f13c54e92ecd81ea92487f933a1915

Reproducible: Always
Comment 1 Sebastian Krahmer 2013-11-13 09:55:56 UTC 
Is it really necessary to run the kwallet as a DBUS _system_ service?

Also, the function that requires the polkit action is just a dummy:

ActionReply SaveHelper::save(QVariantMap args)
{
    __uid_t uid = getuid();
    kDebug() << "executing uid=" << uid;

    return ActionReply::SuccessReply;
}


Its from their git. Do we really need that??

From my understanding a wallet is something that should run in the
user session, therefore a DBUS session bus?!
Comment 2 Sebastian Krahmer 2013-11-13 10:28:43 UTC 
Contacted upstream, maybe they can shine some light.
Comment 3 Sebastian Krahmer 2013-11-18 13:23:17 UTC 
Can you paste the org.kde.kcontrol.kcmkwallet.conf that you
want to use? It seems not to be part of the kwallet git.
Comment 4 Forgotten User DV81ZEWZkN 2013-11-19 18:18:58 UTC 
Sorry for a late reply,
(In reply to comment #3)
> Can you paste the org.kde.kcontrol.kcmkwallet.conf that you
> want to use? It seems not to be part of the kwallet git.

/etc/dbus-1/system.d/org.kde.kcontrol.kcmkwallet.conf
<!DOCTYPE busconfig PUBLIC
 "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
 
  <!-- Only user root can own the foo helper -->
  <policy user="root">
    <allow own="org.kde.kcontrol.kcmkwallet"/>
  </policy>
 
</busconfig>


/usr/share/dbus-1/system-services/org.kde.kcontrol.kcmkwallet.service
[D-BUS Service]
Name=org.kde.kcontrol.kcmkwallet
Exec=/usr/lib64/kde4/libexec/kcm_kwallet_helper
User=root
Comment 5 Bernhard Wiedemann 2013-11-20 15:00:13 UTC 
This is an autogenerated message for OBS integration:
This bug (849739) was mentioned in
https://build.opensuse.org/request/show/207761 Factory / polkit-default-privs
Comment 6 Sebastian Krahmer 2013-11-25 09:08:51 UTC 
done
Comment 7 Forgotten User DV81ZEWZkN 2013-11-25 12:02:54 UTC 
(In reply to comment #6)
> done

Hm, we still have:
[   43s] kwalletmanager.x86_64: E: suse-dbus-unauthorized-service (Badness: 10000) /usr/share/dbus-1/system-services/org.kde.kcontrol.kcmkwallet.service
[   43s] kwalletmanager.x86_64: E: suse-dbus-unauthorized-service (Badness: 10000) /etc/dbus-1/system.d/org.kde.kcontrol.kcmkwallet.conf

Rpmlint not yet submitted?
Comment 8 Raymond Wooninck 2013-11-25 12:46:00 UTC 
Hrvoje, 

Keep in mind that KDF is building against snapshot and NOT against standard.  As long as snapshot is not being updated from standard, then we will be keep facing the indicated issue. Until that time we also cannot submit kwalletmanager as that ti either doesn't build or it contains a rpmlint which is not allowed.
Comment 9 Bernhard Wiedemann 2013-11-25 16:00:28 UTC 
This is an autogenerated message for OBS integration:
This bug (849739) was mentioned in
https://build.opensuse.org/request/show/208293 Factory / rpmlint
Comment 11 Bernhard Wiedemann 2014-03-12 16:00:32 UTC 
This is an autogenerated message for OBS integration:
This bug (849739) was mentioned in
https://build.opensuse.org/request/show/225713 Factory / polkit-default-privs