[Bug 820354] New: Apper Installs Software Without Root Authority
https://bugzilla.novell.com/show_bug.cgi?id=820354 https://bugzilla.novell.com/show_bug.cgi?id=820354#c0 Summary: Apper Installs Software Without Root Authority Classification: openSUSE Product: openSUSE 12.2 Version: Final Platform: x86-64 OS/Version: openSUSE 12.2 Status: NEW Severity: Normal Priority: P5 - None Component: Update Problems AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: secure@aphofis.com QAContact: jsrain@suse.com Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:20.0) Gecko/20100101 Firefox/20.0 Apper, happily installs or updates software for all configured repos without asking for root authority. It would appear that Apper runs by self escalation by su Out of the many disasters of CUA convention on Security word fail me as to why we are observing this one where the process self escalates like a RunAs without user intervention and without user attention. This bug is 100% reproducible BUT if you want logs please ask Reproducible: Always Steps to Reproduce: 1.happens every time 2. 3. Expected Results: At the very least, whilst the user can configure automatically Install, request escalation to root password for that session only. If we dont follow through with always asking for authority to escalate we become as bad as Windows and even then it pops up relentlessly even though the user credential is == root (admin) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=820354
https://bugzilla.novell.com/show_bug.cgi?id=820354#c
Ye Yuan
https://bugzilla.novell.com/show_bug.cgi?id=820354
https://bugzilla.novell.com/show_bug.cgi?id=820354#c1
Hrvoje Senjan
https://bugzilla.novell.com/show_bug.cgi?id=820354
https://bugzilla.novell.com/show_bug.cgi?id=820354#c2
Stephan Kulow
https://bugzilla.novell.com/show_bug.cgi?id=820354
https://bugzilla.novell.com/show_bug.cgi?id=820354#c3
Scott Couston
I would like to see some steps to reproduce on a freshly booted system.
Thank you Stephan for your input. Firstly, when ever I do an install the User does not have root privileges. I do not follow a standard Install where the user is already root. The concept of auto installation or change to any installed software, without needing root authority is down right wrong! That should clarify alot of issues. When I shutdown and restart any PC's all X64 and application runs notifying me that software updates are downloaded and Installed without root authority. Apper on the other hand does require Root escalation without fail, however its has dependence issues it cannot resole a lot of the time- More on that later. Stephan could you please let me know what log files you need to debug this. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=820354
https://bugzilla.novell.com/show_bug.cgi?id=820354#c4
Stephan Kulow
https://bugzilla.novell.com/show_bug.cgi?id=820354
https://bugzilla.novell.com/show_bug.cgi?id=820354#c5
Scott Couston
I would like to see some steps to reproduce on a freshly booted system. Leave out all oppinions
I would need to give you log data to support this, however it is my firm belief that the only requirements are for a fresh installation where the user login is created to not be root...Just untick the default. My logs here on 2 production PC's would have further value. Please ask me for anyfiles you need but start with the above..default, non automated, KDE, user not equal to root; type Installation. It appears that there are 3 different system update programs running. Online update in Yast, Apper, and an automatic program that I cannot even find. Each have varying degrees of problems failing to update due to dependency problems that cannot be resolved because I can go into Yast and run online update and even force check dependency; and get replied that there is nothing to resolve. The other issue I have found is that a user account can make changes to system times. I run a NTP config for public time servers in Yast and thats all I need to have but on the desktop the attached screen-shot will show what is available without authority . As for outright time change via the screen shot; it does call for authority BUT time zone/calendar type/ you name it; cvan be changed without authority. I feel that already there are too many accounts used to run services at the moment.The system user 'smolt' has me disturbed whatever that account is designed to do. I guess we all would like to see more kernel resident and initiated services; but thats a pipe dream :-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=820354
https://bugzilla.novell.com/show_bug.cgi?id=820354#c6
--- Comment #6 from Scott Couston
https://bugzilla.novell.com/show_bug.cgi?id=820354
https://bugzilla.novell.com/show_bug.cgi?id=820354#c7
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=820354
https://bugzilla.novell.com/show_bug.cgi?id=820354#c8
Scott Couston
please try to do what coolo says ...
easy reproducible steps for us, and leave out meanings and opinions as we need to reproduce here.
I'm not sure what you need from me???????? You already have....... I would need to give you log data to support this, however it is my firm belief that the only requirements are for a fresh installation where the user login is created to not be root...Just untick the default. As for the query of comment #4 and #7 I am not sure what options you want me to leave out. This install was started by creating a user without root authority. As for the installation itself I never rely on an Automatic Install never never. Please clarify what you need from me as I remove every default Installation to be non-automated and the user is separated from having root authority. In this light as well as #2..please be more specific -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=820354
https://bugzilla.novell.com/show_bug.cgi?id=820354#c9
Stephan Kulow
https://bugzilla.novell.com/show_bug.cgi?id=820354
https://bugzilla.novell.com/show_bug.cgi?id=820354#c10
Scott Couston
https://bugzilla.novell.com/show_bug.cgi?id=820354
https://bugzilla.novell.com/show_bug.cgi?id=820354#c11
--- Comment #11 from Scott Couston
https://bugzilla.novell.com/show_bug.cgi?id=820354
https://bugzilla.novell.com/show_bug.cgi?id=820354#c12
--- Comment #12 from Scott Couston
https://bugzilla.novell.com/show_bug.cgi?id=820354
https://bugzilla.novell.com/show_bug.cgi?id=820354#c13
--- Comment #13 from Scott Couston
https://bugzilla.novell.com/show_bug.cgi?id=820354
https://bugzilla.novell.com/show_bug.cgi?id=820354#c14
Scott Couston
https://bugzilla.novell.com/show_bug.cgi?id=820354
https://bugzilla.novell.com/show_bug.cgi?id=820354#c15
--- Comment #15 from Scott Couston
https://bugzilla.novell.com/show_bug.cgi?id=820354
https://bugzilla.novell.com/show_bug.cgi?id=820354#c17
--- Comment #17 from Scott Couston
https://bugzilla.novell.com/show_bug.cgi?id=820354
https://bugzilla.novell.com/show_bug.cgi?id=820354#c18
Scott Couston
https://bugzilla.novell.com/show_bug.cgi?id=820354
https://bugzilla.novell.com/show_bug.cgi?id=820354#c
Ye Yuan
https://bugzilla.novell.com/show_bug.cgi?id=820354
https://bugzilla.novell.com/show_bug.cgi?id=820354#c19
--- Comment #19 from Scott Couston
https://bugzilla.novell.com/show_bug.cgi?id=820354
https://bugzilla.novell.com/show_bug.cgi?id=820354#c20
--- Comment #20 from Scott Couston
https://bugzilla.novell.com/show_bug.cgi?id=820354
https://bugzilla.novell.com/show_bug.cgi?id=820354#c21
Scott Couston
https://bugzilla.novell.com/show_bug.cgi?id=820354
https://bugzilla.novell.com/show_bug.cgi?id=820354#c
Xiyuan Liu
https://bugzilla.novell.com/show_bug.cgi?id=820354
https://bugzilla.novell.com/show_bug.cgi?id=820354#c22
--- Comment #22 from Scott Couston
http://bugzilla.novell.com/show_bug.cgi?id=820354
http://bugzilla.novell.com/show_bug.cgi?id=820354#c23
Jiri Slaby
participants (1)
-
bugzilla_noreply@novell.com