*** Description of problem: The "/usr/bin/gameconqueror" script invokes pkexec for launching "/usr/share/gameconqueror/GameConqueror.py" as root. This is - both inconvenient (the user has to enter a password for getting root privileges) - and unnecessary (on Fedora, there's absolutely no reason for running gameconqueror as root, just for ptracing other processes of the same user) Therefore it should not be done. *** Version-Release number of selected component (if applicable): gameconqueror-0.17-13.fc37.1.x86_64 *** How reproducible: 100% *** Steps to Reproduce: 1. launch "gameconqueror" from a normal user terminal / shell, in a graphical (X11 or Wayland) session *** Actual results: 2. witness the pkexec popup asking for a password 3. enter password 4. gameconqueror is now running as root *** Expected results: 2. gameconqueror should be running as the normal user at once *** Additional info: The upstream scanmem developers seem to be using some Linux distribution where the "Yama" security module prevents one process of a normal user from ptrace()-ing a *sibling* (non-descendant) process that belongs to the same normal user. In order to get around this limitation, upstream gameconqueror comes with a startup script that first elevates its privileges to root, using pkexec, then launches the actual gameconqueror python program. If such a ptrace() limitation existed on Fedora, then we couldn't attach a plain gdb process (as in, "gdb -p PID") to a program that was not originally started by gdb. So this ptrace() restriction doesn't exist on Fedora, therefore the privilege escalation in /usr/bin/gameconqueror is unnecessary, and should be removed. Note that six years ago, a SUSE developer attempted to implement this upstream, with the exact same argument, as an *option* not to call pkexec. Refer to upstream pull request <https://github.com/scanmem/scanmem/pull/242>. The proposal went nowhere and the pull request was rejected / abandoned. The ask here is to (1) remove the polkit dependency from Fedora's gameconqueror package, and (2) modify the "/usr/bin/gameconqueror" shell script to launch "GameConqueror.py" *without* pkexec. Namely, the following variant works perfectly fine (allows a normal user to trace their own processes without problems): ---------- #!/usr/bin/bash DATADIR=/usr/share/gameconqueror $DATADIR/GameConqueror.py "$@" ----------
(The fedora kernel includes the Yama security module as well, but the "/proc/sys/kernel/yama/ptrace_scope" sysctl defaults to 0. Refer to "Documentation/admin-guide/LSM/Yama.rst" in the kernel tree for details. The "/usr/bin/gameconqueror" script is wrong to assume that Yama restricts ptrace().)
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
This message is a reminder that Fedora Linux 37 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 37 on 2023-12-05. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '37'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see it. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 37 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed.
Fedora Linux 37 entered end-of-life (EOL) status on 2023-12-05. Fedora Linux 37 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora Linux please feel free to reopen this bug against that version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see the version field. If you are unable to reopen this bug, please file a new report against an active release. Thank you for reporting this bug and we are sorry it could not be fixed.
Closing on Fedora 37 EOL is not relevant, as same situation is in F39 (rawhide as well). On the other hand the proposed patch doesn't work in current (F39) default Fedora installation. Problem is not only in tracing, but running without root fails already on access to the /proc/PID/maps which is in Fedora allowed only to root: $ strace /usr/share/gameconqueror/GameConqueror.py 2>&1 |grep open | grep -e /maps openat(AT_FDCWD, "/proc/1038389/maps", O_RDONLY) = 7 openat(AT_FDCWD, "/proc/1019330/maps", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied) openat(AT_FDCWD, "/proc/1019330/maps", O_RDONLY) = -1 EACCES (Permission denied) write(2, "failed to open maps file /proc/1"..., 45failed to open maps file /proc/1019330/maps. $ ps aux|grep -E '1038389|1019330' mambroz 1019330 23.7 0.3 1029688 99988 ? Sl 14:45 65:04 /usr/bin/powermanga mambroz 1038389 2.8 0.1 874348 61600 pts/0 Sl+ 19:18 0:02 /usr/bin/python3 /usr/share/gameconqueror/GameConqueror.py Yes Yama is still on 0, but still it seems that the policy is still enforced and cant be changed easily: $ cat /proc/sys/kernel/yama/ptrace_scope 0 $ gdb -p 1019330 GNU gdb (Fedora Linux) 14.1-1.fc39 Copyright (C) 2023 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-redhat-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <https://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word". No symbol table is loaded. Use the "file" command. Attaching to process 1019330 ptrace: Operation not permitted. Not sure whether there is some better solution than using the pkexec.
tested on F39 $ uname -r 6.6.8-200.fc39.x86_64
This bug appears to have been reported against 'rawhide' during the Fedora Linux 40 development cycle. Changing version to 40.
This message is a reminder that Fedora Linux 40 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 40 on 2025-05-13. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '40'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see it. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 40 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed.
Fedora Linux 40 entered end-of-life (EOL) status on 2025-05-13. Fedora Linux 40 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora Linux please feel free to reopen this bug against that version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see the version field. If you are unable to reopen this bug, please file a new report against an active release. Thank you for reporting this bug and we are sorry it could not be fixed.