Bug 1205246

Summary: AUDIT-0: rubygem-d-installer: review of D-Bus services org.opensuse.DInstaller*.service
Product: [openSUSE] openSUSE Tumbleweed Reporter: Martin Vidner <mvidner>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED DUPLICATE QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: igonzalezsosa, mvidner
Version: CurrentFlags: igonzalezsosa: needinfo? (mvidner)
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Martin Vidner 2022-11-09 14:52:35 UTC 
https://github.com/yast/d-installer/ , packaged at https://build.opensuse.org/project/show/YaST:Head:D-Installer is built on a D-Bus interface

With PR https://github.com/yast/d-installer/pull/295 we have fixed the activation of its handful of services, running them as root, so an audit is needed.

The D-Bus policy file is https://github.com/yast/d-installer/blob/master/service/share/dbus.conf
and AFAICT it only allows calls from root. OTOH it looks trivially redundant, and RPMlint warns:

ruby3.1-rubygem-d-installer.x86_64: W: dbus-policy-allow-receive <allow receive_sender="org.opensuse.DInstaller"/> /usr/share/dbus-1/system.d/org.opensuse.DInstaller.conf
...
allow receive_* is normally not needed as that is the default.
Comment 1 Imobach Gonzalez Sosa 2022-11-10 06:25:43 UTC 
Hi Martin,

Thanks for asking for a security review. However, we already have bug 1202059, so it might make sense to use the same bug.

Regards,
Imo
Comment 2 Martin Vidner 2022-11-10 08:10:07 UTC 
Ah. I did try to find an existing report, somehow missed it.

*** This bug has been marked as a duplicate of bug 1202059 ***