Mailinglist Archive: opensuse-security (19 mails)

< Previous Next >
Re: [opensuse-security] Software Updater never asks for password
On 07/31/2014 09:08 AM, Marcus Meissner wrote:
On Thu, Jul 31, 2014 at 08:57:29AM -0400, Anton Aylward wrote:
On 07/31/2014 08:50 AM, Marcus Meissner wrote:
On Thu, Jul 31, 2014 at 08:42:36AM -0400, James Rome wrote:
The Plasma Software Update desktop tool on 13.1 never asks for a
password when it updates everything. Isn't this a security violation?

We configured it that installing the openSUSE supplied online updates
is possible without a root password.



All other software operations (installing packages, removing packages, etc)
should ask for the administrator password.

... Depending on how your system is configured.
Please pay attention to how sudo is set up and the files in /etc/pam.d,
and/all of which may allow operations for select users without asking
for the root password.

The KDE Plasma updater is not using sudo, but calls packagekit which asks
policykit
in turn.

1. I subscribe to this list, as you can obviously tell, sicne I post
replies and originate threads. As such there is no need to cc me
when you reply to my submissions. I can read the copy you post to
the list.

If you want to communicate with me off-list, that's OK, but please
modify the subject line to indicate so.

2. I'm aware of how the the updater works.
I was addressing the issue of

"All other software operations [...] should ask for the
administrator password".

As someone said "It ain't necessarily so."

--
/"\
\ / ASCII Ribbon Campaign
X Against HTML Mail
/ \
--
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx

< Previous Next >
List Navigation