|
Bugzilla – Full Text Bug Listing |
| Summary: | gvfs: removal of /usr/share/polkit-1/rules.d/org.gtk.vfs.file-operations.rules | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE Tumbleweed | Reporter: | Matthias Gerstner <matthias.gerstner> |
| Component: | Security | Assignee: | Michael Gorse <mgorse> |
| Status: | RESOLVED FIXED | QA Contact: | E-mail List <qa-bugs> |
| Severity: | Normal | ||
| Priority: | P5 - None | CC: | bjorn.lie, dimstar, luc14n0, mgorse, security-team, sreeves |
| Version: | Current | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Bug Depends on: | |||
| Bug Blocks: | 1125314 | ||
|
Description
Matthias Gerstner
2019-02-14 10:58:45 UTC
A new rpmlint-check is effective in Factory by now that generates a warning about files installed in rules.d without a whitelisting. In a while we will make this an error. So please adjust your package accordingly to avoid a broken build. Thank you. This is a friendly reminder to work on this topic. In a while the new rpmlint check will cause badness and thus the package build will fail if this is not adjusted accordingly. Thank you! Mike - can you take this one. Done. SUSE-SU-2019:1717-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1125433,1136981,1136986,1136992,1137930 CVE References: CVE-2019-12447,CVE-2019-12448,CVE-2019-12449,CVE-2019-12795 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): gvfs-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src): gvfs-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15 (src): gvfs-1.34.2.1-4.13.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. openSUSE-SU-2019:1699-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1125433,1136981,1136986,1136992,1137930 CVE References: CVE-2019-12447,CVE-2019-12448,CVE-2019-12449,CVE-2019-12795 Sources used: openSUSE Leap 15.0 (src): gvfs-1.34.2.1-lp150.3.10.1 openSUSE-SU-2019:1697-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1125433,1136981,1136986,1136992,1137930 CVE References: CVE-2019-12447,CVE-2019-12448,CVE-2019-12449,CVE-2019-12795 Sources used: openSUSE Leap 15.1 (src): gvfs-1.34.2.1-lp151.6.3.1 I'd like to reopen this The premise in comment 1 is wrong. With the file in place, and user as part of wheel group, it removes the current situation that we get 2 root promts when calling admin::// in nautilus. Sure we can have the file in docs, so we force endusers to add oneself to wheel group AND move a file that hurts noone if we leave it in place. I bet about 0.02 % of users would have found that one.... With the file in place, we only get 1 root promt when calling admin:// in nautilus, and that should suffice plenty, they have to make the choise to add oneself to wheel group - making users type the admin password more than once only makes them respect it even less. What the .rules file have inside
// Allows users belonging to wheel group to start gvfsd-admin without
// authorization. This prevents redundant password prompt when starting
// gvfsd-admin. The gvfsd-admin causes another password prompt to be shown
// for each client process using the different action id and for the subject
// based on the client process.
polkit.addRule(function(action, subject) {
if ((action.id == "org.gtk.vfs.file-operations-helper") &&
subject.local &&
subject.active &&
subject.isInGroup ("wheel")) {
return polkit.Result.YES;
}
});
(In reply to bjorn.lie@gmail.com from comment #12) > I'd like to reopen this > > The premise in comment 1 is wrong. You probably mean comment 0 "This file is currently not effective anyways", no? Can you please open a separate bug instead of reopening this one? This bug was about the removal of the rules, which took already place, if you want it to be re-added then please open a new bug referencing this one and explaining your reasons. In the meanwhile I will investigate the current situation on Tumbleweed. (In reply to Matthias Gerstner from comment #14) > > You probably mean comment 0 "This file is currently not effective anyways", > no? > > Can you please open a separate bug instead of reopening this one? This bug > was > about the removal of the rules, which took already place, if you want it to > be > re-added then please open a new bug referencing this one and explaining your > reasons. In the meanwhile I will investigate the current situation on > Tumbleweed. Ah yes comment 0 indeed. As to at least packaging the file as a doc example I've done https://build.opensuse.org/request/show/946769 already. I'll close this one, and get around to filing a new bug to get the file "reinstated". Frankly I'd like to have the whole nuke wheel group policy changed, but that is a different battle I guess. |