2179441 – unnecessary mandatory privilege escalation in gameconqueror startup script

Bug 2179441 - unnecessary mandatory privilege escalation in gameconqueror startup script

Summary: unnecessary mandatory privilege escalation in gameconqueror startup script

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	scanmem
Sub Component:
Version:	37
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Igor Raits
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-03-17 19:36 UTC by Laszlo Ersek
Modified:	2023-07-21 12:43 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Laszlo Ersek 2023-03-17 19:36:01 UTC

*** Description of problem:
The "/usr/bin/gameconqueror" script invokes pkexec for launching "/usr/share/gameconqueror/GameConqueror.py" as root. This is

- both inconvenient (the user has to enter a password for getting root privileges)

- and unnecessary (on Fedora, there's absolutely no reason for running gameconqueror as root, just for ptracing other processes of the same user)

Therefore it should not be done.

*** Version-Release number of selected component (if applicable):
gameconqueror-0.17-13.fc37.1.x86_64

*** How reproducible:
100%

*** Steps to Reproduce:
1. launch "gameconqueror" from a normal user terminal / shell, in a graphical (X11 or Wayland) session

*** Actual results:
2. witness the pkexec popup asking for a password
3. enter password
4. gameconqueror is now running as root

*** Expected results:
2. gameconqueror should be running as the normal user at once

*** Additional info:
The upstream scanmem developers seem to be using some Linux distribution where the "Yama" security module prevents one process of a normal user from ptrace()-ing a *sibling* (non-descendant) process that belongs to the same normal user. In order to get around this limitation, upstream gameconqueror comes with a startup script that first elevates its privileges to root, using pkexec, then launches the actual gameconqueror python program.

If such a ptrace() limitation existed on Fedora, then we couldn't attach a plain gdb process (as in, "gdb -p PID") to a program that was not originally started by gdb. So this ptrace() restriction doesn't exist on Fedora, therefore the privilege escalation in /usr/bin/gameconqueror is unnecessary, and should be removed.

Note that six years ago, a SUSE developer attempted to implement this upstream, with the exact same argument, as an *option* not to call pkexec. Refer to upstream pull request <https://github.com/scanmem/scanmem/pull/242>. The proposal went nowhere and the pull request was rejected / abandoned.

The ask here is to (1) remove the polkit dependency from Fedora's gameconqueror package, and (2) modify the "/usr/bin/gameconqueror" shell script to launch "GameConqueror.py" *without* pkexec.

Namely, the following variant works perfectly fine (allows a normal user to trace their own processes without problems):

----------
#!/usr/bin/bash

DATADIR=/usr/share/gameconqueror
$DATADIR/GameConqueror.py "$@"
----------

Comment 1 Laszlo Ersek 2023-03-17 19:43:51 UTC

(The fedora kernel includes the Yama security module as well, but the "/proc/sys/kernel/yama/ptrace_scope" sysctl defaults to 0. Refer to "Documentation/admin-guide/LSM/Yama.rst" in the kernel tree for details. The "/usr/bin/gameconqueror" script is wrong to assume that Yama restricts ptrace().)

Comment 2 Fedora Admin user for bugzilla script actions 2023-07-21 12:43:51 UTC

This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.

Note You need to log in before you can comment on or make changes to this bug.