Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 768108

Summary: dev-util/meson: Automatic privilege escalation with polkit
Product: Gentoo Security Reporter: orbea <orbea>
Component: MiscAssignee: Mike Gilbert <floppym>
Status: RESOLVED UPSTREAM    
Severity: normal CC: security, williamh
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/mesonbuild/meson/issues/7345
Whiteboard:
Package list:
Runtime testing required: ---

Description orbea 2021-01-31 19:51:44 UTC 
During the install process meson has code to automatically seek root privileges during install with polkit which depending on the user's settings may result in a password prompt or an unexpected install instead of permission denied errors.

This was merged in PR:

  https://github.com/mesonbuild/meson/pull/3567

This is likely not a problem with emerge, but users may use meson manually or in their personal projects and this behavior is arguably a potential security risk or foot gun. It could be unintentionally triggered with something as simple as a missing DESTDIR.

Also see the upstream meson issue which does not appear to be getting a fix anytime soon.

  https://github.com/mesonbuild/meson/issues/7345
Comment 1 Mike Gilbert gentoo-dev 2021-01-31 22:19:08 UTC 
This seems to be working as-designed with regard to polkit integration.