768108 – dev-util/meson: Automatic privilege escalation with polkit

Bug 768108 - dev-util/meson: Automatic privilege escalation with polkit

Summary: dev-util/meson: Automatic privilege escalation with polkit

Status:	RESOLVED UPSTREAM

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Misc (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Mike Gilbert

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2021-01-31 19:51 UTC by orbea
Modified:	2021-01-31 22:19 UTC (History)
CC List:	2 users (show)

See Also:	https://github.com/mesonbuild/meson/issues/7345
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description orbea 2021-01-31 19:51:44 UTC

During the install process meson has code to automatically seek root privileges during install with polkit which depending on the user's settings may result in a password prompt or an unexpected install instead of permission denied errors.

This was merged in PR:

  https://github.com/mesonbuild/meson/pull/3567

This is likely not a problem with emerge, but users may use meson manually or in their personal projects and this behavior is arguably a potential security risk or foot gun. It could be unintentionally triggered with something as simple as a missing DESTDIR.

Also see the upstream meson issue which does not appear to be getting a fix anytime soon.

  https://github.com/mesonbuild/meson/issues/7345

Comment 1 Mike Gilbert gentoo-dev

2021-01-31 22:19:08 UTC

This seems to be working as-designed with regard to polkit integration.