Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Update Applet - su/root password always needed (GNOME)

  1. #1
    Join Date
    Sep 2008
    Location
    Sulzbach (Taunus), Hessen [Hesse], Deutschland [Germany]
    Posts
    2,521

    Question Update Applet - su/root password always needed (GNOME)

    Hi members of the openSuSE forums,

    I have a minor problem with my "Update Applet 2.28.0" in Gnome. It occurs when I want to make the applet do one or more suggested update(s). It always asks me for the password of superuser/root:
    "Authenticate : Authentication is required to update packages. [...]".

    I think under my installation before (11.1 maybe updated from an older version) I could tell the automatic/semi automatic updater to remember the su password (in YaST or in the authentication dialog?).

    In the help manual on my computer (and in the internet) there is the possibility to make the updater remember the password via policy kit:
    ("Access to all privileged operations is controlled via PolicyKit." See: GNOME Documentation Library : gnome-packagekit Manual : Introduction)
    I could not find any policy kid or any other possibility to give to the automatic updater (or its user) that privilege permanently (=to remember authorization).

    I think on a system with more (real) users this could be a real problem (not just an inconvenience).

    Greetings
    pistazienfresser

  2. #2
    Join Date
    Nov 2009
    Location
    West by God Virginia
    Posts
    7,288

    Default Re: Update Applet - su/root password always needed (GNOME)

    Users should never have the power to update or install software on a system. Only the root user should have that power. This is why Windows goes sideways so often, people installing arbitrary code.

    In Yast You can set updates to be automagic.

  3. #3
    Join Date
    Sep 2008
    Location
    Sulzbach (Taunus), Hessen [Hesse], Deutschland [Germany]
    Posts
    2,521

    Unhappy Re: Update Applet - su/root password always needed (GNOME)

    Quote Originally Posted by gogalthorp View Post
    Users should never have the power to update or install software on a system. Only the root user should have that power. This is why Windows goes sideways so often, people installing arbitrary code.
    I do not want to give an user the power to install "arbitrary code" only to say yes (or no, not now) to the automatic installation of the automatic updater and maybe also to give a trusted user also the power to choose which of the automatic suggested packages are installed now.
    Quote Originally Posted by gogalthorp View Post
    In Yast You can set updates to be automagic.
    Thanks, I had found that possibility in (graphical) YaST>"Online Update Configuration". But it seems to me only the possibility for full automatic installation and not for any check of the user.

    So in openSUSE's GNOME the root can only choose between a full untrusted user or a full trusted user?
    If I need something different I have to make a user a sudoer/a member of sudoers?
    This seems at least very uncomfortably for me.

    Greetings
    pistazienfresser

  4. #4
    Join Date
    Oct 2008
    Location
    North Wales, UK
    Posts
    1,136

    Default Re: Update Applet - su/root password always needed (GNOME)

    All linux/*nix systems are multiuser - they were built like that form the start.
    root is the only user that has superpowers to change everything, regardless of the consequences.
    Some distros, like ubuntu, are trying to convert people from windows so only require the sudo password. For most others, root or su is a separate entity.
    This requires that you are the administrator of the system before you can make any changes/updates and stops the normal user from damaging the system.
    Having said that, I am sure you could run a script using zypper and cron to automatically update the system. Just make sure you have the security set correctly.
    If you are wanting to vet and then push the selected updates to the workstation machines, you are probably better off running the updates from your own local update server.

  5. #5
    Join Date
    Sep 2008
    Location
    Sulzbach (Taunus), Hessen [Hesse], Deutschland [Germany]
    Posts
    2,521

    Arrow Re: Update Applet - su/root password always needed (GNOME and KDE)

    Quote Originally Posted by whych View Post
    All linux/*nix systems are multiuser - they were built like that form the start.
    root is the only user that has superpowers to change everything, regardless of the consequences.
    Some distros, like ubuntu, are trying to convert people from windows so only require the sudo password. For most others, root or su is a separate entity.
    The Policy Kit/PolicyKit seems to be included in openSUSE since version openSUSE 10.3: PolicyKit - Wikipedia, the free encyclopedia

    In my KDE 4.3.5 it seems to me a user who knows the su-password would be able to gain permanent access to the hole graphical YaST (witch includes ALL software changes): The Implicit Privileges include "Keep Indefinitely Authentication" for the hole graphical YaST.
    And possibility to give a user access to the automatic update applet (with fewer risks) is also not set there by default.

    Especially on a laptop it would be fine for an user to decide if a update should made now or not (urgency to do something else, time left to run the computer, energy status, modus and stability of internet connection etc.)

    So would it not be a more adequate and simpler (and maybe for me manageable) workaround to modify the entries in PolicyKit?

    Can anybody give me (more) advice(s) if and how I should do this?

    Should I add only "gnome-packagekit" (and maybe the packagekit in KDE) in More Applications > Tools > Authorizations: org>opendesktop>policykid>Modify defaults for implicit authorizations>Implicit Autorsations OR Explicit Autorisations?

    Greetings pistazienfresser

    Documentation > Security Guide > Local Security > PolicyKit > Modifying and Setting Privileges (9.3)
    = in: Novell Documentation

    PolicyKit Library Reference Manual

  6. #6
    Join Date
    Jun 2008
    Location
    Earth - Denmark
    Posts
    11,210

    Default Re: Update Applet - su/root password always needed (GNOME)

    pistazienfresser wrote:
    > Can anybody give me (more) advice(s) if and how I should do this?


    to me, it sounds like you allow others to use your machine....that is
    ok if you want to allow it, but do they have it for (say) several days
    or weeks at a time? if not, i wouldn't consider it anywhere near
    necessary to give them the chance to say yes or no to an update..

    i mean, it is not like you have a frail Redmond system where at any
    second a new crippling virus or malware is loosed..

    so, i vote no...i say keep ONLY you as machine owner and administrator
    with the root password and access to all system controls and upgrade
    capability..

    otoh: it is your machine, you can allow the cake maker on the corner
    to have full access, if you wish.

    [and, i hope you know that if whoever you loan it to wants to they CAN
    perform all root operations they wish, very soon after you are out of
    sight--that is to say, if you do not control the physical access to
    the machine, there is NO security whatsoever.]

    --
    DenverD (Linux Counter 282315)
    CAVEAT: http://is.gd/bpoMD
    posted via NNTP w/TBird 2.0.0.23 | KDE 3.5.7 | openSUSE 10.3
    2.6.22.19-0.4-default SMP i686
    AMD Athlon 1 GB RAM | GeForce FX 5500 | ASRock K8Upgrade-760GX |
    CMedia 9761 AC'97 Audio

  7. #7
    Join Date
    Jun 2008
    Location
    Groningen, Netherlands
    Posts
    14,096
    Blog Entries
    12

    Default Re: Update Applet - su/root password always needed (GNOME)

    @pistazienfresser: stop what you're trying. Imagine the user updating the kernel by 'applet'. After update the 'Reboot' message comes, NVIDIA driver missing, oops. Or should the installer/updater also be aware of the security level of the user, and leave some packages out of updating? I'm glad that I'm the one on my machines that does the installing and updating (being the only one that has the rootpassword).
    - Athlon X6 3.6 GHz, 16 GB DDR3, 64 GB SSD, 3 TB of disks, GT540, openSUSE Factory + KDE
    - ASUS A73SD, Intel + GT610M Optimus, 6 GB, 2 x 120 GB SSD, openSUSE Factory + KDE

    Anything that can go wrong.... will teach us

    http://en.opensuse.org/User:Knurpht
    http://nl.opensuse.org/Gebruiker:Knurpht

  8. #8
    Join Date
    Sep 2008
    Location
    Sulzbach (Taunus), Hessen [Hesse], Deutschland [Germany]
    Posts
    2,521

    Default Re: Update Applet - su/root password always needed (GNOME and KDE)

    Hi Forum-Members,
    back to my question:
    Has anyone experiences with "Modifying and Setting Privileges"?
    Greetings pistazienfresser

    Hi Knurpht and DenverD,
    thanks for your concern.
    @Knurpht
    a) Your example speaks more for my wanted policies and against the actual default (especially in the actual KDE where the root can give an user access to the complete graphic YaST just by ONE click more).
    b) For your hypothetical case: The root can tell the Update Applet/automatic updater via "Software Updates Preferences" in which time intervals (week etc.) to look after major updates (witch would be kernel updates or not?). Why should the automatic updater suggest an update to a complete other kernel? (And if so: a full automatic update would leave just less chance to prevent that!)

    @DenverD
    a) I use my machine now alone. But the automatic updater is for me a convenient alternative to an often update with the graphical YaST>software manager OR Software update
    b) If I would set up a computer with linux for my sister or an other user that does not want to bother which updates are useful but wants to decide when to update.
    c) Your warning for the access to my machine make sense, thanks (I was aware of that): I think the use an encrypted partition for my data will be the chose (but that is complete an other theme and should have an other title.)

    Greetings pistazienfresser

  9. #9
    Join Date
    Jun 2008
    Location
    Groningen, Netherlands
    Posts
    14,096
    Blog Entries
    12

    Default Re: Update Applet - su/root password always needed (GNOME and KDE)

    Why should they update in the first place? Install, update, install codecs, drivers etc., configure firewall, done. Nothing unsecure or whatever.

    Systemadminstration has to be done by a systemadminsitrator. Not sometimes by the user, sometimes by the sysadmin. The separation system vs. users is one of the main items in linux security, let's please not break that.
    - Athlon X6 3.6 GHz, 16 GB DDR3, 64 GB SSD, 3 TB of disks, GT540, openSUSE Factory + KDE
    - ASUS A73SD, Intel + GT610M Optimus, 6 GB, 2 x 120 GB SSD, openSUSE Factory + KDE

    Anything that can go wrong.... will teach us

    http://en.opensuse.org/User:Knurpht
    http://nl.opensuse.org/Gebruiker:Knurpht

  10. #10
    Join Date
    Sep 2008
    Location
    Sulzbach (Taunus), Hessen [Hesse], Deutschland [Germany]
    Posts
    2,521

    Default BUG: Update Applet - su/root password always needed (GNOME and KDE)

    Quote Originally Posted by Knurpht View Post
    Why should they update in the first place? Install, update, install codecs, drivers etc., configure firewall, done. Nothing unsecure or whatever.
    If you want to discuss the question if linux systems need updates at all please open a new thread.

    Quote Originally Posted by Knurpht View Post
    Systemadminstration has to be done by a systemadminsitrator. Not sometimes by the user, sometimes by the sysadmin. The separation system vs. users is one of the main items in linux security, let's please not break that.
    In the current policies:
    - by a few clicks from the root:
    in the future updates can be made by the system full automatically (and so without any system administrator only by the user been logged in an connected to the internet)
    - in KDE 4.3.5 by only one click from a user/admin who knows the root password the user can get access to nearly the hole system administration (via the graphical YaST /bin/yast2)

    So thanks for the argument that this default policy makes no sense but please start a new thread (General Chit-Chat - openSUSE Forums ?) to discuss that.

    Greetings
    pistazienfresser

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •