Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 415583

Summary: sys-auth/polkit configuration directories are not CONFIG_PROTECTed
Product: Gentoo Security Reporter: Petr Pisar <petr.pisar>
Component: Default ConfigsAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: normal CC: nikoli, ssuominen
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=438790
Whiteboard:
Package list:
Runtime testing required: ---

Description Petr Pisar 2012-05-12 14:56:47 UTC 
sys-auth/polkit is used to authorize a user to do a privileged operations like system shutdown or mounting a file system.

polkit defines directories to drops configuration files into:

pklocalauthority(8):
  /etc/polkit-1/localauthority
  /var/lib/polkit-1/localauthority
polkit(8):
  /usr/share/polkit-1/actions

Notice: There can be other paths, I do not guarantee I found all of them.

E.g. sys-auth/polkit-0.104-r1 allows ordinary user to do a shutdown by default. I got bitten by polkit update which rewritten my tightened configuration on my terminal server.

I propose putting sys-auth/polkit configuration directories into CONFIG_PROTECT profile variable in order to ensure such sensitive configuration will not change without notice.
Comment 1 Samuli Suominen (RETIRED) gentoo-dev 2012-05-12 15:13:09 UTC 
Users are only supposed to override polkit configuration in /etc/polkit-1 and surely files in /etc go under the default config protection?

Users are not supposed to edit anything in /usr/share/polkit-1 directly as everything can be done in /etc

So I don't see a bug anywhere
Comment 2 Samuli Suominen (RETIRED) gentoo-dev 2012-05-12 15:15:04 UTC 
Everything seems to be in order here:

# emerge --info|grep CONFIG_PROT
CONFIG_PROTECT="/etc
Comment 3 Samuli Suominen (RETIRED) gentoo-dev 2012-10-18 13:04:51 UTC 
*** Bug 438790 has been marked as a duplicate of this bug. ***
Comment 4 Samuli Suominen (RETIRED) gentoo-dev 2012-10-18 13:07:01 UTC 
man 8 polkit even draws 'a map' for it:

               +------------------+
               |    polkitd(8)    |
               +------------------+
               | org.freedesktop. |
               |    PolicyKit1    |<---------+
               +------------------+          |
                         ^                   |
                         |            +--------------------------------------+
                         |            | /usr/share/polkit-1/actions/*.policy |
                         |            +--------------------------------------+
                         |
                  +--------------------------------------+
                  | /etc/polkit-1/rules.d/*.rules        |
                  | /usr/share/polkit-1/rules.d/*.rules  |
                  +--------------------------------------+