Red Hat Bugzilla – Bug 878102
CVE-2012-5560 mate-settings-daemon: Any unprivileged user can change the system's timezone
Last modified: 2015-08-19 05:18:50 EDT
Version-Release number of selected component (if applicable):
mate-settings-daemon's datetime mechanism provides a D-Bus method to set the timezone, which is guarded by polkit's action org.mate.settingsdaemon.datetimemechanism.settimezone; this has the default policy "auth_self_keep", which allows any local user to perform the operation with only knowing their own password.
This seems not to be currently exposed in the mate UI, but it is available through manual D-Bus calls, e.g.
> dbus-send --system --print-reply --type=method_call --dest=org.mate.SettingsDaemon.DateTimeMechanism / org.mate.SettingsDaemon.DateTimeMechanism.SetTimezone string:/usr/share/zoneinfo/Cuba
Because the time zone setting is a global resource, it should be restricted to system administrators (== root or users in the "wheel" group), by having a policy auth_admin_*. That's also what the other timezone setting mechanisms (in systemd and control-center) do.
I can confirm this on Fedora 17 as well.
I'm going to make this issue public, it's not something we need to keep private, and we also should get this fixed in Fedora ASAP. Just changing the allow_active setting from "auth_self_keep" to "auth_admin" will work.
Created mate-settings-daemon tracking bugs for this issue
Affects: fedora-all [bug 879044]
mate-settings-daemon-1.5.3-5.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.