After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 578385 - Default PolicyKit configuration is way too permissive
Default PolicyKit configuration is way too permissive
Status: RESOLVED FIXED
Product: gnome-panel
Classification: Other
Component: clock
git master
Other Linux
: Normal major
: ---
Assigned To: Panel Maintainers
Panel Maintainers
: 590630 (view as bug list)
Depends on:
Blocks:
 
 
Reported: 2009-04-08 14:10 UTC by Josselin Mouette
Modified: 2010-01-14 01:20 UTC
See Also:
GNOME target: ---
GNOME version: 2.25/2.26

Attachments
Suggested changes in the default policy (1.24 KB, patch)
2009-04-08 14:12 UTC, Josselin Mouette 		committed Details | Review

Description Josselin Mouette 2009-04-08 14:10:22 UTC 
The default PolicyKit settings for the clock applet mechanism allow anyone to change the system clock, without authenticating as root.

This has serious security implications, it allows for example to tamper with timestamps in log files by changing the system time.
Comment 1 Josselin Mouette 2009-04-08 14:12:19 UTC 
Created attachment 132340 [details] [review]
Suggested changes in the default policy
Comment 2 James Westby 2009-04-13 20:10:43 UTC 
Hi,

I think changing to auth_admin* makes sense, though
exactly which could be debated.

Thanks,

James
Comment 3 Vincent Untz 2009-08-11 18:38:23 UTC 
Fixed, except for the timezone: it cannot harm the computer in any serious way, afaik.
Comment 4 Vincent Untz 2010-01-14 01:20:51 UTC 
*** Bug 590630 has been marked as a duplicate of this bug. ***