Bug 2179441

Summary: unnecessary mandatory privilege escalation in gameconqueror startup script
Product: [Fedora] Fedora Reporter: Laszlo Ersek <lersek>
Component: scanmemAssignee: Igor Raits <igor.raits>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 37CC: igor.raits, jhrozek, rebus
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Laszlo Ersek 2023-03-17 19:36:01 UTC 
*** Description of problem:
The "/usr/bin/gameconqueror" script invokes pkexec for launching "/usr/share/gameconqueror/GameConqueror.py" as root. This is

- both inconvenient (the user has to enter a password for getting root privileges)

- and unnecessary (on Fedora, there's absolutely no reason for running gameconqueror as root, just for ptracing other processes of the same user)

Therefore it should not be done.

*** Version-Release number of selected component (if applicable):
gameconqueror-0.17-13.fc37.1.x86_64

*** How reproducible:
100%

*** Steps to Reproduce:
1. launch "gameconqueror" from a normal user terminal / shell, in a graphical (X11 or Wayland) session

*** Actual results:
2. witness the pkexec popup asking for a password
3. enter password
4. gameconqueror is now running as root

*** Expected results:
2. gameconqueror should be running as the normal user at once

*** Additional info:
The upstream scanmem developers seem to be using some Linux distribution where the "Yama" security module prevents one process of a normal user from ptrace()-ing a *sibling* (non-descendant) process that belongs to the same normal user. In order to get around this limitation, upstream gameconqueror comes with a startup script that first elevates its privileges to root, using pkexec, then launches the actual gameconqueror python program.

If such a ptrace() limitation existed on Fedora, then we couldn't attach a plain gdb process (as in, "gdb -p PID") to a program that was not originally started by gdb. So this ptrace() restriction doesn't exist on Fedora, therefore the privilege escalation in /usr/bin/gameconqueror is unnecessary, and should be removed.

Note that six years ago, a SUSE developer attempted to implement this upstream, with the exact same argument, as an *option* not to call pkexec. Refer to upstream pull request <https://github.com/scanmem/scanmem/pull/242>. The proposal went nowhere and the pull request was rejected / abandoned.

The ask here is to (1) remove the polkit dependency from Fedora's gameconqueror package, and (2) modify the "/usr/bin/gameconqueror" shell script to launch "GameConqueror.py" *without* pkexec.

Namely, the following variant works perfectly fine (allows a normal user to trace their own processes without problems):

----------
#!/usr/bin/bash

DATADIR=/usr/share/gameconqueror
$DATADIR/GameConqueror.py "$@"
----------
Comment 1 Laszlo Ersek 2023-03-17 19:43:51 UTC 
(The fedora kernel includes the Yama security module as well, but the "/proc/sys/kernel/yama/ptrace_scope" sysctl defaults to 0. Refer to "Documentation/admin-guide/LSM/Yama.rst" in the kernel tree for details. The "/usr/bin/gameconqueror" script is wrong to assume that Yama restricts ptrace().)
Comment 2 Fedora Admin user for bugzilla script actions 2023-07-21 12:43:51 UTC 
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.