Bug 1094121 - Tracker: Fix desktop centric polkit policy
Summary: Tracker: Fix desktop centric polkit policy
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: distribution
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Stef Walter
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 979416 1094120 1094124 1094135 1094138 1094143 1094149 1094150 1094155 1094161 1094745 1094750 1094752 1095142 1095143 1095145 1095147 1097765 1121020 1145646
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-05-05 06:24 UTC by Stef Walter
Modified: 2015-06-02 20:14 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Stef Walter 2014-05-05 06:24:17 UTC
Polkit is used by more than just Workstations with desktops. We need to fix the completely desktop-centric polkit policy shipped by many packages. This is a tracker bug.

Comment 1 Stef Walter 2014-05-05 07:24:18 UTC
<allow_any>xxx</allow_any> is about the scariest tag name you can have in a security system. It doesn't do what it says on the tin.

Just to clarify:

    allow_any    Implicit authorizations that apply to any client. Optional.


http://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html

Comment 2 Stef Walter 2014-05-05 08:09:34 UTC
Packages that got it right, and allow non-local users:

cups-pk-helper-0.2.5-2.fc20.x86_64
   https://bugs.freedesktop.org/show_bug.cgi?id=41011
ettercap-0.8.0-1.fc20.x86_64
  /usr/share/polkit-1/actions/org.pkexec.ettercap.policy
gksu-polkit-0.0.3-8.gitf8ce834c.fc20.x86_64
  /usr/share/polkit-1/actions/org.gnome.gksu.policy
grub-customizer-4.0.6-1.fc20.x86_64
  /usr/share/polkit-1/actions/net.launchpad.danielrichter2007.pkexec.grub-customizer.policy
libvirt-daemon-1.1.3.4-4.fc20.x86_64
  /usr/share/polkit-1/actions/org.libvirt.unix.policy /usr/share/polkit-1/actions/org.libvirt.api.policy
scap-workbench-0.8.8-1.fc20.x86_64
  /usr/share/polkit-1/actions/scap-workbench-oscap.policy
setroubleshoot-server-3.2.14-2.fc20.x86_64
  /usr/share/polkit-1/actions/org.fedoraproject.setroubleshootfixit.policy
setroubleshoot-server-3.2.17-1.fc20.x86_64
  /usr/share/polkit-1/actions/org.fedoraproject.setroubleshootfixit.policy
storaged-0.2.0-1.fc20.x86_64
  /usr/share/polkit-1/actions/com.redhat.lvm2.policy
tuna-0.11.1-2.fc20.noarch
  /usr/share/polkit-1/actions/org.tuna.policy
tuxcut-5.1-1.fc20.noarch
  /usr/share/polkit-1/actions/org.ojuba.pkexec.tuxcut.policy

Comment 3 Stef Walter 2014-05-05 08:10:31 UTC
Packages that seem to get it right, and restrict non-local users for valid reasons:

fprintd-0.5.1-1.fc20.x86_64
  /usr/share/polkit-1/actions/net.reactivated.fprint.device.policy
spice-glib-0.21-5.fc20.x86_64
  /usr/share/polkit-1/actions/org.spice-space.lowlevelusbaccess.policy
systemd-208-9.fc20.x86_64
  /usr/share/polkit-1/actions/org.freedesktop.locale1.policy
  /usr/share/polkit-1/actions/org.freedesktop.hostname1.policy
  /usr/share/polkit-1/actions/org.freedesktop.systemd1.policy
  /usr/share/polkit-1/actions/org.freedesktop.timedate1.policy
  /usr/share/polkit-1/actions/org.freedesktop.login1.policy

Comment 4 Stef Walter 2014-05-05 08:13:08 UTC
Didn't bother checking, either desktop centric package, or deprecated:

 * All cinamon packages
 * All KDE packages
 * All mate packages
 * All XFCE packages
 * And the following:

GConf2-3.2.6-7.fc20.x86_64
  /usr/share/polkit-1/actioyns/org.gnome.gconf.defaults.policy
ailurus-10.10.3-6.fc20.noarch
  /usr/share/polkit-1/actions/cn.ailurus.policy
1:arduino-1.0.5-6.fc20.noarch
  /usr/share/polkit-1/actions/cc.arduino.add-groups.policy
blueman-1.23-7.fc20.x86_64
  /usr/share/polkit-1/actions/org.blueman.policy
1:control-center-3.10.3-1.fc20.x86_64
  /usr/share/polkit-1/actions/org.gnome.controlcenter.datetime.policy
  /usr/share/polkit-1/actions/org.gnome.controlcenter.user-accounts.policy
  /usr/share/polkit-1/actions/org.gnome.controlcenter.remote-login-helper.policy
eclipse-oprofile-2.2.1-1.fc20.1.noarch
  /usr/share/polkit-1/actions/org.eclipse.linuxtools.oprofile.policy
gameconqueror-0.14-2.0bff2a6.fc20.x86_64
  /usr/share/polkit-1/actions/org.freedesktop.gameconqueror.policy
gnome-settings-daemon-3.10.2-2.fc20.x86_64
  /usr/share/polkit-1/actions/org.gnome.settings-daemon.plugins.wacom.policy
  /usr/share/polkit-1/actions/org.gnome.settings-daemon.plugins.power.policy
1:gnome-system-log-3.9.90-1.fc20.x86_64
  /usr/share/polkit-1/actions/org.gnome.logview.policy
gnome-system-monitor-3.10.2-1.fc20.x86_64
  /usr/share/polkit-1/actions/org.gnome.gnome-system-monitor.policy
gparted-0.18.0-1.fc20.x86_64
  /usr/share/polkit-1/actions/org.fedoraproject.pkexec.run-gparted.policy
2:mtr-gtk-0.85-4.fc20.x86_64
  /usr/share/polkit-1/actions/org.fedoraproject.mtr.policy
rtkit-0.11-7.fc20.x86_64
  /usr/share/polkit-1/actions/org.freedesktop.RealtimeKit1.policy
system-config-date-1.10.6-1.fc20.noarch
  /usr/share/polkit-1/actions/org.fedoraproject.config.date.policy
system-config-firewall-1.2.29-10.fc20.noarch
  /usr/share/polkit-1/actions/org.fedoraproject.config.firewall.policy
system-config-kdump-2.0.14-1.fc20.noarch
  /usr/share/polkit-1/actions/org.fedoraproject.systemconfig.kdump.policy
system-config-keyboard-1.4.0-3.fc20.noarch
  /usr/share/polkit-1/actions/org.fedoraproject.config.keyboard.policy
system-config-nfs-1.4.2-1.fc20.noarch
  /usr/share/polkit-1/actions/org.fedoraproject.config.nfs.policy
system-config-samba-1.2.100-2.fc20.noarch
  /usr/share/polkit-1/actions/org.fedoraproject.config.samba.policy
system-config-services-0.111.1-1.fc20.noarch
  /usr/share/polkit-1/actions/org.fedoraproject.config.services.policy
system-config-users-1.3.5-1.fc20.noarch
  /usr/share/polkit-1/actions/org.fedoraproject.config.users.policy
system-switch-displaymanager-1.3-3.fc20.noarch
  /usr/share/polkit-1/actions/org.fedoraproject.switch.displaymanager.policy
udisks-1.0.4-12.fc20.x86_64
  /usr/share/polkit-1/actions/org.freedesktop.udisks.policy
upower-0.9.23-1.fc20.x86_64
  /usr/share/polkit-1/actions/org.freedesktop.upower.qos.policy
  /usr/share/polkit-1/actions/org.freedesktop.upower.policy
usbview-2.0-3.fc20.x86_64
  /usr/share/polkit-1/actions/org.fedoraproject.usbview.policy
yumex-3.0.13-1.fc20.noarch
  /usr/share/polkit-1/actions/dk.yumex.backend.policy

Comment 5 Stef Walter 2014-05-05 10:01:44 UTC
Also gets this right:

firewalld-0.3.9.3-1.fc20.noarch

Comment 6 Rex Dieter 2014-05-05 13:40:30 UTC
fyi, in case it is relevant (not 100% clear to me yet)
https://fedoraproject.org/wiki/Privilege_escalation_policy

per my comment in linked https://bugzilla.redhat.com/show_bug.cgi?id=1094120#c2

Comment 7 Jan Safranek 2014-07-18 07:59:00 UTC
1094121 is about _adding_ a polkit support to systemd rather than desktop-centric policy.

Comment 8 Fedora End Of Life 2015-05-29 11:45:46 UTC
This message is a reminder that Fedora 20 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 20. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '20'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 20 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.


Note You need to log in before you can comment on or make changes to this bug.