[opensuse-security] Software Updater never asks for password
The Plasma Software Update desktop tool on 13.1 never asks for a password when it updates everything. Isn't this a security violation? -- James A. Rome jamesrome@gmail.com http://jamesrome.net -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On Thu, Jul 31, 2014 at 08:42:36AM -0400, James Rome wrote:
The Plasma Software Update desktop tool on 13.1 never asks for a password when it updates everything. Isn't this a security violation?
We configured it that installing the openSUSE supplied online updates is possible without a root password. All other software operations (installing packages, removing packages, etc) should ask for the administrator password. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On 07/31/2014 08:50 AM, Marcus Meissner wrote:
On Thu, Jul 31, 2014 at 08:42:36AM -0400, James Rome wrote:
The Plasma Software Update desktop tool on 13.1 never asks for a password when it updates everything. Isn't this a security violation?
We configured it that installing the openSUSE supplied online updates is possible without a root password.
All other software operations (installing packages, removing packages, etc) should ask for the administrator password.
... Depending on how your system is configured. Please pay attention to how sudo is set up and the files in /etc/pam.d, and/all of which may allow operations for select users without asking for the root password. Personally I find that little icon/update on the bottom bar of KDE an annoyance and turn it off. YMMV -- /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On Thu, Jul 31, 2014 at 08:57:29AM -0400, Anton Aylward wrote:
On 07/31/2014 08:50 AM, Marcus Meissner wrote:
On Thu, Jul 31, 2014 at 08:42:36AM -0400, James Rome wrote:
The Plasma Software Update desktop tool on 13.1 never asks for a password when it updates everything. Isn't this a security violation?
We configured it that installing the openSUSE supplied online updates is possible without a root password.
All other software operations (installing packages, removing packages, etc) should ask for the administrator password.
... Depending on how your system is configured. Please pay attention to how sudo is set up and the files in /etc/pam.d, and/all of which may allow operations for select users without asking for the root password.
The KDE Plasma updater is not using sudo, but calls packagekit which asks policykit in turn. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On 07/31/2014 09:08 AM, Marcus Meissner wrote:
On Thu, Jul 31, 2014 at 08:57:29AM -0400, Anton Aylward wrote:
On 07/31/2014 08:50 AM, Marcus Meissner wrote:
On Thu, Jul 31, 2014 at 08:42:36AM -0400, James Rome wrote:
The Plasma Software Update desktop tool on 13.1 never asks for a password when it updates everything. Isn't this a security violation?
We configured it that installing the openSUSE supplied online updates is possible without a root password.
All other software operations (installing packages, removing packages, etc) should ask for the administrator password.
... Depending on how your system is configured. Please pay attention to how sudo is set up and the files in /etc/pam.d, and/all of which may allow operations for select users without asking for the root password.
The KDE Plasma updater is not using sudo, but calls packagekit which asks policykit in turn.
1. I subscribe to this list, as you can obviously tell, sicne I post replies and originate threads. As such there is no need to cc me when you reply to my submissions. I can read the copy you post to the list. If you want to communicate with me off-list, that's OK, but please modify the subject line to indicate so. 2. I'm aware of how the the updater works. I was addressing the issue of "All other software operations [...] should ask for the administrator password". As someone said "It ain't necessarily so." -- /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
participants (3)
-
Anton Aylward -
James Rome -
Marcus Meissner