Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 796815

Summary: app-admin/github-backup-utils[test]: leaks systemd service stop requests to system
Product: Gentoo Linux Reporter: Michał Górny <mgorny>
Component: Current packagesAssignee: William Hubbs <williamh>
Status: CONFIRMED ---    
Severity: major CC: qa, systemd
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Package list:
Runtime testing required: ---

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-06-20 07:40:51 UTC
While running the test suite, I repeatedly get a GUI window asking me for root password in order to 'stop consul.service'.  Sounds like a major command leak. 
 Not that I'm running such a service.
Comment 1 Mike Gilbert gentoo-dev 2021-06-20 15:40:22 UTC
Several tests call "ghe-restore", which calls "ssh ... sudo systemctl stop consul".

As well, the tests use a wrapper script for ssh that removes any "sudo" calls and runs the commands locally.

The end result is that "systemctl stop consul" gets executed directly as the portage user, which triggers a polkit prompt if portage is not running as root.
Comment 2 Mike Gilbert gentoo-dev 2021-06-20 15:46:05 UTC
ghe-restore attempts to perform many privileged operations, and it doesn't look like it was really designed for use in an isolated test environment.

I would recommend masking the test USE flag until/unless the tests can be made more safe for general use.