[Bug 216485] New: opensuse-updater shows error message in tooltip
https://bugzilla.novell.com/show_bug.cgi?id=216485 Summary: opensuse-updater shows error message in tooltip Product: openSUSE 10.2 Version: Beta 1 Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Update Problems AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: suse-beta@cboltz.de QAContact: jsrain@novell.com (using Factory from last night) I just updated from 10.1 to Factory and created a new user. openSUSE-updater shows an error message in its tooltip: Error: helper program returned: setuid: Operation not permitted Forgot to chmod this program? I'm not sure which information would be helpful in this case, so: just ask ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=216485 ------- Comment #1 from suse-beta@cboltz.de 2006-10-30 17:11 MST ------- Created an attachment (id=103118) --> (https://bugzilla.novell.com/attachment.cgi?id=103118&action=view) screenshot -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=216485 chrubis@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team- |dmacvicar@novell.com |screening@forge.provo.novell| |.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=216485 dmacvicar@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |suse-beta@cboltz.de ------- Comment #2 from dmacvicar@novell.com 2006-10-31 10:40 MST ------- chmod +s /usr/sbin/zypp-checkpatches-wrapper That should be done by the package by the way. what version of libzypp and permissions.rpm do you have? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=216485 suse-beta@cboltz.de changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED Info Provider|suse-beta@cboltz.de | ------- Comment #3 from suse-beta@cboltz.de 2006-11-01 06:04 MST ------- # rpm -q libzypp permissions libzypp-2.5.2-4 permissions-2006.10.16-5 (I chroot'ed to my 10.2 installation to get this information, therefore I don't know if the chmod command fixes the issue. However, I chmod'ed the file now and will see the result when I boot 10.2 beta again.) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=216485 dmacvicar@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO Info Provider| |suse-beta@cboltz.de ------- Comment #4 from dmacvicar@novell.com 2006-11-02 10:19 MST ------- Ok, please close the bug if it works. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=216485 suse-beta@cboltz.de changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED Info Provider|suse-beta@cboltz.de | ------- Comment #5 from suse-beta@cboltz.de 2006-11-02 16:41 MST ------- (In reply to comment #4)
Ok, please close the bug if it works.
Without having it tested: It probably wont work for a long time... # grep zypp-check /etc/permissions* /etc/permissions.easy:/usr/sbin/zypp-checkpatches-wrapper root:root 4755 /etc/permissions.paranoid:/usr/sbin/zypp-checkpatches-wrapper root:root 0755 /etc/permissions.secure:/usr/sbin/zypp-checkpatches-wrapper root:root 0755 (just checked: these values are still used in the current Factory package permissions-2006.10.16-6.i586.rpm.) Needless to say that I use "secure" permissions. What's the reason to drop the suid bit in this case? BTW: I can't access bug 211286 which is mentioned in permissions.* above the quoted lines :-( -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=216485 cthiel@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |cthiel@novell.com, security-team@suse.de Severity|Normal |Critical ------- Comment #6 from cthiel@novell.com 2006-11-06 02:24 MST ------- What's the security teams point of view here? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=216485 meissner@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |WORKSFORME ------- Comment #7 from meissner@novell.com 2006-11-06 02:47 MST ------- in secure mode the setuid root bit should be off. in "secure" mode we do not trust the user with system administrative duties, so an admin should use su or similar to do administrative stuff. If you want to override this decission, adjust permissions.local or similar. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=216485 suse-beta@cboltz.de changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |aj@novell.com Status|RESOLVED |REOPENED Resolution|WORKSFORME | Version|Beta 1 |Beta 2 ------- Comment #8 from suse-beta@cboltz.de 2006-11-14 10:50 MST ------- (In reply to comment #7)
in secure mode the setuid root bit should be off.
in "secure" mode we do not trust the user with system administrative duties, so an admin should use su or similar to do administrative stuff.
Hmm, what about zen-updater? It even grants _permanent_ permissions once you entered the root password ;-) Seriously: Now that some test updates are available, I could test opensuse-updater a bit more. The only thing a user can do without knowing the root password is "check for updates". I don't know why this is considered security relevant. (He could also call rpm -q to check for outdated/vulnerable packages.) (Before actually installing any patch, the root password is requested.) Anyway: If you don't set the suid bit for zypp-checkpatches-wrapper in permissions.secure, at least implement a better error message that is more helpful for the user (it should at least contain a hint _which_ program needs to be chmod'ed suid-root). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=216485 ------- Comment #9 from visnov@novell.com 2006-11-15 01:24 MST ------- Yes, a better message might be useful. But for the rest - if you are running in secure mode, you should not update the system as a user, not even an applet running and checking periodically over a network if there are new updates. IMO there is no reason for the applet to even run in the secure mode. The reason why we need suid is that ZYPP stores sensitive information in its database (e.g. FTP password) and checking the update status is using this information. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=216485 visnov@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|Critical |Normal -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=216485 dmacvicar@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |LATER ------- Comment #10 from dmacvicar@novell.com 2006-11-20 10:16 MST ------- closing, better message in future versions. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=216485 andreas.hanke@gmx-topmail.de changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |harbrink@bluewin.ch ------- Comment #11 from andreas.hanke@gmx-topmail.de 2006-12-14 05:21 MST ------- *** Bug 228518 has been marked as a duplicate of this bug. *** -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=216485 User coolo@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=216485#c12 Stephan Kulow <coolo@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|LATER | --- Comment #12 from Stephan Kulow <coolo@novell.com> 2008-06-25 03:19:16 MDT --- mass reopening all 10.2 LATER+REMIND bugs. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=216485 User coolo@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=216485#c13 Stephan Kulow <coolo@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |WONTFIX --- Comment #13 from Stephan Kulow <coolo@novell.com> 2008-06-25 03:23:27 MDT --- close all 10.2 LATER/REMIND bugs as WONTFIX. Reopen yourself if you still plan to work on it. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com