[Bug 601782] New: Update Applet - su/root password always needed (illogical default entry in policy kid?)
http://bugzilla.novell.com/show_bug.cgi?id=601782 http://bugzilla.novell.com/show_bug.cgi?id=601782#c0 Summary: Update Applet - su/root password always needed (illogical default entry in policy kid?) Classification: openSUSE Product: openSUSE 11.2 Version: Final Platform: i686 OS/Version: openSUSE 11.2 Status: NEW Severity: Normal Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: Martin.Seidler@web.de QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100317 SUSE/3.5.9-0.1.1 Firefox/3.5.9 I. 1. I have a problem with my "Update Applet 2.28.0" in GNOME (The same in KDE 4.3.5). It occurs when I want to make the applet do one or more suggested update(s). It always asks me for the password of superuser/root: "Authenticate : Authentication is required to update packages. [...]". I think under my installation before (11.1 maybe updated from an older version) I could tell the automatic/semi automatic updater to remember the su password (in YaST or in the authentication dialog?). 2. It is also a documentation bug: In the help manual on my computer (and in the internet) there is the possibility to make the updater remember the password via policy kit: ("Access to all privileged operations is controlled via PolicyKit." See: GNOME Documentation Library : gnome-packagekit Manual : Introduction) II. That policy make no sense: 1. The necessarily to use the root password should be reserved to actions you should think about twice and not to normal (security) updates. 2. The default policies are just contradictorily to the possible risk: 2. 1.They allow (by default) the root/someone with a root password 2.1.1 to tell the system to update complete automatically (without any human thinking or intentional acting) 2.1.2 to give (in KDE) a normal user access to the hole graphical operating system setup and configuration tool (/sbin/yast2). 2.2. But they allow not the automatic updater to remember the root password. (With a change in the policies the root may be able to change that?) 2.2. In contrast to that in my knowledge: 2.2.. The GNOME "Update Applet 2.28.0" (and the KDE equivalent) can only install the suggested updates (or not, if access to the cosing is given to that) so the risk is lower. 2.3. But by default you cannot tell the updater to save the root password. Reproducible: Always Steps to Reproduce: 1. Wait for an suggested automatic update. 2. Click on the red star with "!" 3. Click on "install updates" Actual Results: The Update Applet asks for the root password every time. Expected Results: To the user the choice/alternative the choice should be given to save the root password for the Update Applet (so it is not needed in the next case). http://www.novell.com/documentation/opensuse111/opensuse111_security/data/se... http://www.novell.com/documentation/opensuse111/opensuse111_security/?page=/... http://hal.freedesktop.org/docs/PolicyKit/ -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=601782
http://bugzilla.novell.com/show_bug.cgi?id=601782#c1
Ludwig Nussel
http://bugzilla.novell.com/show_bug.cgi?id=601782
http://bugzilla.novell.com/show_bug.cgi?id=601782#c2
--- Comment #2 from Martin Seidler
polkit1 unfortunately dropped the option to remember the authorization. You need to complain to upstream to change that.
You can change the setting to not ask for the root password on your local machine in /etc/polkit-default-privs.local Thanks Ludwig for your answer.
But unfortunately I have not understood all: 1. Where to complain? Upstream? http://en.opensuse.org/Build_Service/Upstream_Integration http://en.opensuse.org/Updater_Applet http://en.opensuse.org/GNOME_Updater_Applet 2. ??? Add in /etc/polkit-default-privs.local: "org.freedesktop.updater_applet auth_admin_keep_always:yes:yes" OR "org.gnome.packagekit auth_admin_keep_always:yes:yes" ??? And what is with KDE? 3. What is about the documentation via the connected help files which fit not to the openSuSE version? Greetings Martin -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=601782
http://bugzilla.novell.com/show_bug.cgi?id=601782#c3
Eric Schirra
http://bugzilla.novell.com/show_bug.cgi?id=601782
http://bugzilla.novell.com/show_bug.cgi?id=601782#c4
--- Comment #4 from Martin Seidler
https://bugzilla.novell.com/show_bug.cgi?id=601782
https://bugzilla.novell.com/show_bug.cgi?id=601782#c
Eric Schirra
https://bugzilla.novell.com/show_bug.cgi?id=601782
https://bugzilla.novell.com/show_bug.cgi?id=601782#c5
Christian Trippe
participants (1)
-
bugzilla_noreply@novell.com