Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: Plasma Software Updater security

  1. #1
    Join Date
    Jul 2008
    Location
    Sweden
    Posts
    174

    Default Plasma Software Updater security

    Hello. I tested to run Software Updater in KDE Plasma. It installed updates without asking for any root password.
    Is it as it should be or is it a security issue?

    /Johan
    ASUS G46VW running openSUSE LEAP 42.1, Windows 8
    Samsung NP300V3A running openSUSE LEAP 42.1 Windows 7
    Some EEEPC running openSUSE LEAP 42.1, "Server" running sshfs, (mini)DLNA, NFS
    Raspberry Pi, Weezy, openSUSE 13.1 (two different SD-cards)

  2. #2
    Join Date
    Sep 2008
    Posts
    2,997

    Default Re: Plasma Software Updater security

    Hello. I tested to run Software Updater in KDE Plasma. It installed updates without asking for any root password.
    Is it as it should be
    yes the software updater does not ask for a password, afaik it was the same with apper in 13.1 and 13.2.
    is it a security issue?
    could be it depends on your repositories and level of paranoia.
    Still the software updater will not update unsigned packages so ... you're pretty safe.

  3. #3
    Join Date
    Jul 2008
    Location
    Sweden
    Posts
    174

    Default Re: Plasma Software Updater security

    [v] Paranoia, oh yes.
    Well, then there is not a big issue, just me with little paranoia and some missing some understanding in programming to read all the code to feel totally safe. On 13.2 apper was the first to be disable (not installed)...

    Big thanks !
    ASUS G46VW running openSUSE LEAP 42.1, Windows 8
    Samsung NP300V3A running openSUSE LEAP 42.1 Windows 7
    Some EEEPC running openSUSE LEAP 42.1, "Server" running sshfs, (mini)DLNA, NFS
    Raspberry Pi, Weezy, openSUSE 13.1 (two different SD-cards)

  4. #4
    Join Date
    Sep 2008
    Posts
    2,997

    Default Re: Plasma Software Updater security

    well to be a security risk someone needs to get a hold of the sign key used by opensuse or packman, get access to their servers, create an updated rpm that you already have installed and publish it, is it possible sure why not, in reality I don't think so.
    you can also disable or uninstall the update applet and do your updates with zypper or yast.

  5. #5

    Default Re: Plasma Software Updater security

    Making it manual will only make difference if you check manually the source code for each package update that is released. IMHO unnecessary paranoia. If you just want to know what was upgraded, just check the logs :-)

  6. #6

    Default Re: Plasma Software Updater security

    Quote Originally Posted by quinness View Post
    On 13.2 apper was the first to be disable (not installed)...
    You can just as well disable or uninstall the new updater applet, plasma5-pk-updates, or even PackageKit itself (both apper and plasma5-pk-updates are just frontends for that).

    Or change the polkit rules to require a root password for installing updates...

  7. #7

    Default Re: Plasma Software Updater security

    Quote Originally Posted by wolfi323 View Post
    You can just as well disable or uninstall the new updater applet, plasma5-pk-updates, or even PackageKit itself (both apper and plasma5-pk-updates are just frontends for that).

    Or change the polkit rules to require a root password for installing updates...
    1. How to disable(without uninstalling it) the software updates widget completely in openSUSE Leap KDE plasma ? i have unchecked it from system tray settings(under Extra items) , but i think it still shows up the notifications.
    2. If i try to remove plasma5-pk-updates i get
      Code:
      The following 4 packages are going to be REMOVED:
        patterns-openSUSE-kde patterns-openSUSE-kde_imaging patterns-openSUSE-kde_plasma
        plasma5-pk-updates
      
      The following 3 patterns are going to be REMOVED:
        kde kde_imaging kde_plasma
      
      4 packages to remove.
      After the operation, 181.7 KiB will be freed.
      Continue? [y/n/? shows all options] (y):
      Is it safe to remove these stuffs with along with it ?
    3. Removing PackageKit will affect the KDE alone or reflect with the other DE's installed along like cinnamon,xfce etc.. ?

  8. #8
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    25,136

    Default Re: Plasma Software Updater security

    Quote Originally Posted by wolfi323 View Post
    You can just as well disable or uninstall the new updater applet, plasma5-pk-updates, or even PackageKit itself (both apper and plasma5-pk-updates are just frontends for that).

    Or change the polkit rules to require a root password for installing updates...
    Thanks for mentioning the name plsma5-pk-updates. I always uncheck Apper for installation, but nevertheless in my Leap 42.1 it had some update applet (which then gave an error about the network not being available when clicked, I guess because PackageKit isn't there). And I didn't know what to uncheck for installing to cure this.

    IMHO it is a security issue, not end-users, but the system administrator should decide which patches/updates should be installed.
    Not having PackageKit does prevent this of course, but then there is still the applet that the curious end-user sees and tries, giving some strange error (with which he then goes to the sysadmin, spoiling the time of both). The remark that the end-user can go and disable/remove the applet is of course not solving this. Things that he should not do, he also should not see. Should the system adminstrator login into every new user's environment and do this as part of the creation of a new user?
    Henk van Velden

  9. #9
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,378
    Blog Entries
    1

    Default Re: Plasma Software Updater security

    Quote Originally Posted by hcvv View Post
    Thanks for mentioning the name plsma5-pk-updates. I always uncheck Apper for installation, but nevertheless in my Leap 42.1 it had some update applet (which then gave an error about the network not being available when clicked, I guess because PackageKit isn't there). And I didn't know what to uncheck for installing to cure this.
    I too was wondering about this, but hadn't got around to finding the 'offending' package yet. It would be nice if it could simply be disabled via a KDE config utility IMHO.

  10. #10
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    25,136

    Default Re: Plasma Software Updater security

    Quote Originally Posted by deano_ferrari View Post
    I too was wondering about this, but hadn't got around to finding the 'offending' package yet. It would be nice if it could simply be disabled via a KDE config utility IMHO.
    I think the KDE config utility is again on the user level. I want to disable this system wide from the sysadmin level. It is the sysadmin that should decide if end-users are confronted with this aplet.

    When the sysadmin decides that all the users should have it functioning and thus maybe fight who is the first that updates the system in the morning, then each individual user can decide for himself if he wants to join that or if he wants to disable/remove the aplet.
    Henk van Velden

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •