Bug 878102 (CVE-2012-5560)
| Summary: | CVE-2012-5560 mate-settings-daemon: Any unprivileged user can change the system's timezone | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Miloslav Trmač <mitr> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | dan.mashal, rdieter, security-response-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-12-01 21:31:16 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 879044 | ||
| Bug Blocks: | |||
I can confirm this on Fedora 17 as well. I'm going to make this issue public, it's not something we need to keep private, and we also should get this fixed in Fedora ASAP. Just changing the allow_active setting from "auth_self_keep" to "auth_admin" will work. Created mate-settings-daemon tracking bugs for this issue Affects: fedora-all [bug 879044] mate-settings-daemon-1.5.3-5.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. |
Version-Release number of selected component (if applicable): e.g. mate-settings-daemon-1.5.3-1.fc8 mate-settings-daemon's datetime mechanism provides a D-Bus method to set the timezone, which is guarded by polkit's action org.mate.settingsdaemon.datetimemechanism.settimezone; this has the default policy "auth_self_keep", which allows any local user to perform the operation with only knowing their own password. This seems not to be currently exposed in the mate UI, but it is available through manual D-Bus calls, e.g. > dbus-send --system --print-reply --type=method_call --dest=org.mate.SettingsDaemon.DateTimeMechanism / org.mate.SettingsDaemon.DateTimeMechanism.SetTimezone string:/usr/share/zoneinfo/Cuba Because the time zone setting is a global resource, it should be restricted to system administrators (== root or users in the "wheel" group), by having a policy auth_admin_*. That's also what the other timezone setting mechanisms (in systemd and control-center) do.