Page 2 of 2 FirstFirst 12
Results 11 to 20 of 20

Thread: Plasma Software Updater security

  1. #11

    Default Re: Plasma Software Updater security

    Quote Originally Posted by knightsu View Post
    How to disable(without uninstalling it) the software updates widget completely in openSUSE Leap KDE plasma ? i have unchecked it from system tray settings(under Extra items) , but i think it still shows up the notifications.
    If you disabled it in the system tray settings, it should not show any notifications, as it should not even be loaded.

    Check whether you have apper installed as well, it's background service might be running and show those notifications.

    If i try to remove plasma5-pk-updates i get
    Code:
    The following 4 packages are going to be REMOVED:
      patterns-openSUSE-kde patterns-openSUSE-kde_imaging patterns-openSUSE-kde_plasma
      plasma5-pk-updates
    
    The following 3 patterns are going to be REMOVED:
      kde kde_imaging kde_plasma
    
    4 packages to remove.
    After the operation, 181.7 KiB will be freed.
    Continue? [y/n/? shows all options] (y):
    Is it safe to remove these stuffs with along with it ?
    This will only remove the patterns that require plasma5-pk-updates (directly or indirectly).
    Removing a pattern will not uninstall any software/package. A pattern is just a list of packages that have to be/should be installed.


    Removing PackageKit will affect the KDE alone or reflect with the other DE's installed along like cinnamon,xfce etc.. ?
    Removing PackageKit will remove or break all PackageKit frontends.
    I think most desktop's updaters are just frontends for PackageKit, so it will probably affect all DE's, yes.

    YaST (and YaST Online Update) will of course continue to work, just as zypper will.

  2. #12

    Default Re: Plasma Software Updater security

    Quote Originally Posted by hcvv View Post
    IMHO it is a security issue, not end-users, but the system administrator should decide which patches/updates should be installed.
    This might be true for a multi-user system with a dedicated admin, yes.

    But remember that many people use Linux on their own private machines as the only user, as a "Windows-replacement" so to say.
    A dedicated admin should be able to modify the system to their needs, while an inexperienced newbie user will not. An inexperienced user might not even be aware that he can install updates with YaST or zypper.

    And not installing security updates is a security issue as well.
    That's why we have those automatic update notifiers.
    And that's why it has been decided by the security team (years ago) to allow installing updates by the user, without having to enter a password by default (depending on the security settings in /etc/sysconfig/security).

    Should the system adminstrator login into every new user's environment and do this as part of the creation of a new user?
    Well, as you write, you can uninstall it.

    You could also disallow users to install updates (or require the root password) in the polkit configuration, but then the applet will of course still show updates.
    You could also even disallow the refresh of software repositories for users in the polkit configuration, so it should never show any updates, but the user will be confronted with error messages then I suppose.

    So all in all, if you don't want your users to see/install updates at all, it's probably easier/better to uninstall PackageKit.
    Last edited by wolfi323; 19-Jan-2016 at 05:53.

  3. #13
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    30,944

    Default Re: Plasma Software Updater security

    Thanks for the complete confirmation.

    The main problem is that it is very difficult to find any documentation on how to convert your system from a Windows clone into a normal system administrator managed multi-user system.

    And this is growing, bringing unpleasant and undocumented surprises.
    An example exprienced on my first Leap 41.1 installation trial: to configure your NICs to your liking, you have to remove the ethernet cable befor you start installing (I don't know if you have to remove yopur wifi card also). Ridiculous in my eyes, but the big "Read this first before installation" is stiill missinng IMHO.

    Sorry for the off-topic.
    Henk van Velden

  4. #14

    Default Re: Plasma Software Updater security

    Quote Originally Posted by hcvv View Post
    An example exprienced on my first Leap 41.1 installation trial: to configure your NICs to your liking, you have to remove the ethernet cable befor you start installing (I don't know if you have to remove yopur wifi card also). Ridiculous in my eyes,
    I'd call that a bug.
    This is during installation, or in the installed system?

    One thing though: if the installer detects a wireless card, NetworkManager is enabled automatically, so the interface settings in YaST might not apply. That's a deliberate choice as it makes configuring a WiFi connection easier for inexperienced users, and is also done since years.

    OTOH, shouldn't the network interfaces be configured automatically anyway?
    Haven't installed Leap on real hardware yet, only in vmware (without problems, although IIRC I had a problem with a misconfigured/not-working network interface after the installation when I tried the Beta).

    but the big "Read this first before installation" is stiill missinng IMHO.
    Well, there are the release notes which should be displayed during (before?) the installation.
    Although not *everything* is mentioned there either of course, to put it this way...
    Last edited by wolfi323; 19-Jan-2016 at 06:43.

  5. #15
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    30,944

    Default Re: Plasma Software Updater security

    This is during installation.

    What in fact is missing (since earlier installations) is the all important choice: Automatic installation or not". that was almost at the beginning of the installation.

    After the newby has chosen for Automatic (that was always the default checked one and that is fine with me), I have of course no objection against things going "automatic".

    But now the system (testsystem having only cable) got the wrong IP address, the wrong DNS server, the wrong NTP server. After asking here on the forums, I was adviced to remove the network cable before starting the installation. It then indeed asked me to configure the network. I first inserted the cable and then completed the configuration. When I did a new installation (for testing purposes), I of course forgot to remove the cable until it was to late. Start a new . In fact I gave up. I am till looking at that test system with disgust, but the poor hardware is of course not to blaame.

    I realy can not see the replacement of the "Automatic or not" checkbox for the cable removing as an improvement.
    Henk van Velden

  6. #16

    Default Re: Plasma Software Updater security

    Quote Originally Posted by wolfi323 View Post
    If you disabled it in the system tray settings, it should not show any notifications, as it should not even be loaded.

    Check whether you have apper installed as well, it's background service might be running and show those notifications.
    yes i installed apper in Leap to check it out,as it didn't come along by default . Even after disabling Software updates widget in the system tray settings and trying- zypper up gives me
    Code:
    sudo zypper up
    PackageKit is blocking zypper. This happens if you have an updater applet or other software management application using PackageKit running.
    Tell PackageKit to quit? [yes/no] (no):
    So this PackageKit thing runs in background even after disabling Software updates widget ? how to disable PackageKit ?

  7. #17

    Default Re: Plasma Software Updater security

    Quote Originally Posted by hcvv View Post
    I realy can not see the replacement of the "Automatic or not" checkbox for the cable removing as an improvement.
    AFAIK the installer has been "streamlined" in 13.2 already.
    I'm not sure at the moment how it exactly works now in this regard, I don't often do fresh installations, except for testing in a VM where I don't normally dive into the installation settings but rather take the defaults.
    It should be possible to change this in the installation summary though, is that not so anymore?

    Quote Originally Posted by knightsu View Post
    yes i installed apper in Leap to check it out,as it didn't come along by default . Even after disabling Software updates widget in the system tray settings and trying- zypper up gives me
    Code:
    sudo zypper up
    PackageKit is blocking zypper. This happens if you have an updater applet or other software management application using PackageKit running.
    Tell PackageKit to quit? [yes/no] (no):
    As I said, you might have apper's background service running, that still checks for updates.
    You can disable it via "kcmshell4 kded", or in KDE4's systemsettings, but that's not installed by default.

    Or uninstall apper too, it's the old KDE4 updater.

    So this PackageKit thing runs in background even after disabling Software updates widget ? how to disable PackageKit ?
    PackageKit only runs if something (e.g. plasma5-pk-updates or apper) is starting it. And it should shut itself down after 15 seconds of idleness.

    You cannot really "disable" it (and there's no need to). But you can of course uninstall it, if you don't want to use it anyway.
    Last edited by wolfi323; 19-Jan-2016 at 07:39.

  8. #18
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    30,944

    Default Re: Plasma Software Updater security

    Quote Originally Posted by wolfi323 View Post
    AFAIK the installer has been "streamlined" in 13.2 already.
    I'm not sure at the moment how it exactly works now in this regard, I don't often do fresh installations, except for testing in a VM where I don't normally dive into the installation settings but rather take the defaults.
    It should be possible to change this in the installation summary though, is that not so anymore?
    I do not think it is repairable in the summary. Please look for yourself. I am not realy willing to start the install again. I did already several times. To check If I was senile and missed the Non/Automatic choice. It was not, and it's absence was confirmed here on the forums, coming with the advice to remove the cable. So install #3. Then two installs broke down and also I sometimes forgot to remove the cable in time. Thus I gave up as I said above.

    Also I do not want to hyjack this thread. So, when you want to continue on this subject, please go to https://forums.opensuse.org/showthre...g-installation
    Henk van Velden

  9. #19
    Join Date
    Jul 2010
    Location
    Uut t'oosten van't laand
    Posts
    160

    Default Re: Plasma Software Updater security

    Quote Originally Posted by wolfi323 View Post
    This might be true for a multi-user system with a dedicated admin, yes.

    But remember that many people use Linux on their own private machines as the only user, as a "Windows-replacement" so to say.
    A dedicated admin should be able to modify the system to their needs, while an inexperienced newbie user will not. An inexperienced user might not even be aware that he can install updates with YaST or zypper.

    And not installing security updates is a security issue as well.
    That's why we have those automatic update notifiers.
    And that's why it has been decided by the security team (years ago) to allow installing updates by the user, without having to enter a password by default (depending on the security settings in /etc/sysconfig/security).
    You write many users use Linux on their machines as only user, as a Windows replacement. Yes, and? Should we also have the same insecure system as Windows users have, where everyone being able to click a mouse-button becomes admin? I find it ridiculous.
    I also am the only user on my computer and still I want to have a secure system where not I, the user, but I, the sysadmin, perform installations after identifying myself to the system using the root password. Only then am I allowed to write on the system disk. It's like that with many (all??) other distro's I have used.
    Yesterday I installed OpenSuse Leap 42.1 in a VM and today I had updates which after clicking the install button were just installed. It looked to me the complete KDE system was updated, so not a small update. No password needed. Ridiculous. Sorry if I sound hard and cruel, but one of the reasons for me to chose Linux above Windows is the extra security you have. With this update system this is going down the drain.
    Several years ago I read something about Microsoft and (Open)Suse working together. Is this one of the results of that? Wouldn't surprise me.

    I looked in /etc/sysconfig/security. What do I need to change there to have a secure system where I do need to type the password before something happens with the system disk?

  10. #20

    Default Re: Plasma Software Updater security

    Quote Originally Posted by JanMussche View Post
    You write many users use Linux on their machines as only user, as a Windows replacement. Yes, and? Should we also have the same insecure system as Windows users have, where everyone being able to click a mouse-button becomes admin? I find it ridiculous.
    I find that deduction ridiculous.

    Just because a user is allowed to install updates (without root password) doesn't mean that "everyone being able to click a mouse-button becomes admin", and it doesn't make the system insecure.
    Not installing security updates can make the system insecure though, so it's probably a good idea to make that as easy as possible.

    Note that with the default settings it is only allowed to install updates without root password, not new packages.

    Several years ago I read something about Microsoft and (Open)Suse working together. Is this one of the results of that? Wouldn't surprise me.
    That's ridiculous too.

    I looked in /etc/sysconfig/security. What do I need to change there to have a secure system where I do need to type the password before something happens with the system disk?
    Set PERMISSION_SECURITY to "secure local" or even "paranoid local" (run "polkit_set_default_privs" as root afterwards to apply the change). You can do that in YaST->System->Security Center and System Hardening too.
    But that has other implications as well, e.g. you won't be able to mount removeable media without the root password any more.

    If you only want to affect the updater, specify a custom polkit rule in /etc/polkit-default-privs.local (and again, run "polkit_set_default_privs" afterwards):
    Code:
    org.freedesktop.packagekit.system-update                        auth_admin_keep_always
    "auth_admin_keep_always" means that the root password has to be entered, but it will be remembered during the running user session.
    If you want to have to enter the password everytime, use "auth_admin" instead. See also "man polkit".

    And as has been mentioned in this thread already, you can also uninstall PackageKit if you prefer. YaST and zypper do require root permissions for *every* system modification.

Page 2 of 2 FirstFirst 12

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •