Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 782022 - x11-wm/enlightenment-0.24.2-r1: security request
Summary: x11-wm/enlightenment-0.24.2-r1: security request
Status: RESOLVED WORKSFORME
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Default Configs (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-04-10 20:43 UTC by Christian Schmidt
Modified: 2021-10-17 19:16 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Schmidt 2021-04-10 20:43:56 UTC 
x11-wm/enlightenment-0.24.2 installs a suid root helper binary in /usr/lib64/enlightenment/utils/enlightenment_system. This helper binary controls several aspects of the system like CPU frequency, shutdown, etc that require root privileges.

Access to the functions in this helper binary is controlled, among other things, through /etc/enlightenment/system.conf. By default many groups are listed in here.

I would suggest that for security reasons a new enlightenment group is introduced, and only members of this group are permitted access through above config file.
Comment 1 Joonas Niilola gentoo-dev 2021-04-11 11:35:44 UTC 
Hmm, would that mean every desktop user would need to be put in that group manually? And that enlightenment would be the only WM/DE that does this? 

I'd imagine other DEs/WMs have similar "problems", how is this dealt by them?

I don't really like the idea if it makes enlightenment different from the others, hindering the user experience.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2021-04-11 15:23:17 UTC 
I don't see any reason to take actions.

/etc/enlightenment/sysactions.conf is totally fine and matches Linux permission model. I.e. you have groups like wheel, adm, disk, cdrom, audio by default and it is expected that you put users into these groups when you want them to be able to do advanced stuff.

If you disagree with the defaults it is expected that you make changes to that configuration file to your needs.

Introducing a *new* group like proposed where you would bundle everything would only remove the possibility to do fine granular adjustments like today.
Comment 3 Christian Schmidt 2021-04-23 13:59:11 UTC 
/etc/enlightenment/sysactions.conf is not the problem child, /etc/enlightenment/system.conf is. It is used by the suid root process /usr/lib64/enlightenment/utils/enlightenment_system, and follows a simple logic as shipped:
"anyone who is a member of any of the listed groups gets access to all of the listed functionality". It even ships with this comment:

# A WARNING to admins: do NOT allow access for users to this system remotely
# UNLESS you fully trust them or you have locked down permissions to halt/reboot
# suspend etc. here first. You have been warned.

Most desktop users won't be affected, as those machines won't have additional remote users. As such I only wanted to raise attention to this issue, and can live with either outcome. Thank you for looking into this.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-10-17 19:16:22 UTC 
Seems there's nothing to do here.