Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Security Concern

  1. #1

    Question Security Concern

    I am using Tumbleweed (Linux 5.13.4-1-default #1 SMP Thu Jul 22 15:55:06 UTC 2021 (91a0cca) x86_64) with Firefox 90.0.2.
    Lately the behavior has changed. There are frequent updates, sometimes daily, that are done during a power cycle (example shutdown). Previously, I just did DUP when I had time to allow it to run.
    I am concerned the updates are not updates, but some kind of exploit. I have not been asked to provide my password by these power cycle updates.
    I have always associated updates requiring a power cycle with Microsoft Windows. Linux has seldom needed a restart to install updates until very recently.
    I apologize for the general nature of this posting. If I knew what I was doing, I could provide more information. Everyone has security concerns these days.
    Thank you.
    J Whit

  2. #2
    Join Date
    Jun 2008
    Location
    East of Podunk
    Posts
    33,250
    Blog Entries
    15

    Default Re: Security Concern

    Quote Originally Posted by jwhitmor View Post
    I am using Tumbleweed (Linux 5.13.4-1-default #1 SMP Thu Jul 22 15:55:06 UTC 2021 (91a0cca) x86_64) with Firefox 90.0.2.
    Lately the behavior has changed. There are frequent updates, sometimes daily, that are done during a power cycle (example shutdown). Previously, I just did DUP when I had time to allow it to run.
    I am concerned the updates are not updates, but some kind of exploit. I have not been asked to provide my password by these power cycle updates.
    I have always associated updates requiring a power cycle with Microsoft Windows. Linux has seldom needed a restart to install updates until very recently.
    I apologize for the general nature of this posting. If I knew what I was doing, I could provide more information. Everyone has security concerns these days.
    Thank you.
    J Whit
    Hi
    Your system if only running kernel 5.13.4 is out of date.....

    Code:
    cat /etc/os-release 
    
    NAME="openSUSE Tumbleweed"
    # VERSION="20210810"
    ID="opensuse-tumbleweed"
    ID_LIKE="opensuse suse"
    VERSION_ID="20210810"
    .....
    
    uname -a
    
    Linux grover 5.13.8-1-default #1 SMP Thu Aug 5 08:56:22 UTC 2021 (967c6a8) x86_64 x86_64 x86_64 GNU/Linux
    Not been using tumbleweed-cli per chance?

    Are you using the standard repositories?

    Code:
    zypper lr -dE
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  3. #3

    Default Re: Security Concern

    cat /etc/os-release
    NAME="openSUSE Tumbleweed"
    # VERSION="20210801"
    ID="opensuse-tumbleweed"
    ID_LIKE="opensuse suse"
    VERSION_ID="20210801"

    Yes I use the Tumbleweed - cli for upgrades. It has never been clear to me how often to run DUP. I do not do it every day, or even every week. Development may proceed faster than I thought.
    The updates I am concerned about, just pop up, "Shutdown and install software" when I do a routine shutdown of my PC. They leave no option to bypass them. Then Linux runs the usual shutdown tasks, a black and white progress bar appears, and animates across the screen, and finally a power off. It is never clear where the software comes from. Could be the OS, or Gnome, or an App like VLC. Perhaps there is a log that would tell me what exactly was installed?
    I will update to the latest and see what happens then.

  4. #4
    Join Date
    Jun 2008
    Location
    East of Podunk
    Posts
    33,250
    Blog Entries
    15

    Default Re: Security Concern

    Quote Originally Posted by jwhitmor View Post
    cat /etc/os-release
    NAME="openSUSE Tumbleweed"
    # VERSION="20210801"
    ID="opensuse-tumbleweed"
    ID_LIKE="opensuse suse"
    VERSION_ID="20210801"

    Yes I use the Tumbleweed - cli for upgrades. It has never been clear to me how often to run DUP. I do not do it every day, or even every week. Development may proceed faster than I thought.
    The updates I am concerned about, just pop up, "Shutdown and install software" when I do a routine shutdown of my PC. They leave no option to bypass them. Then Linux runs the usual shutdown tasks, a black and white progress bar appears, and animates across the screen, and finally a power off. It is never clear where the software comes from. Could be the OS, or Gnome, or an App like VLC. Perhaps there is a log that would tell me what exactly was installed?
    I will update to the latest and see what happens then.
    Hi
    Then you need to use tumbleweed-cli command to move to a new release, zypper dup will not work....

    Never seen that here, wonder if it packagekit and friends fighting with tumbleweed-cli

    There is a web site for tumbleweed-cli to show they status (according to them) of the release (out of date).. see https://review.tumbleweed.boombatower.com/

    See here on how to update your system: https://github.com/boombatower/tumbleweed-cli

    Consider disabling and moving to good old zypper -vvv dup?
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  5. #5

    Lightbulb Re: Security Concern

    I must correct. I thought you were asking if I used the command line to update. From reading: https://github.com/boombatower/tumbleweed-cli, I now understand you were talking about something I did not know about. Tumbleweed-cli, changes the repository URLs in libzypp, and adds some other convenient command line operations.This is very good information that I had not seen. Other earlier posts just said to use zypper ref and zypper dup, There was no mention of tumbleweed switch. This will make things much easier and more compliant.

    It will be interesting to see if I still get the self installing updates. In Linux, I never expect updates to just install on their own, without a password, without using Gnome software app., without using yast. Just a pop-up screen that includes an animated progress bar, and the words; installing update. This all happening during a shutdown, which is itself very suspect, because it could evade OS, protections. I was wondering if the Devs had picked up some bad habits from Microsoft, or if there had been a fundamental change in the way the kernel was updated. If it happens again, I will throw my hard drive in the incinerator, and do a clean install on a new drive. Buying a new drive is much cheaper than the problems an exploit could cause.
    I have a professionally managed Gateway-Firewall on the network, and it is astounding that it rejects thousands of connections a day, many from world countries where hackers are not necessarily operating as anarchists, but as employees.

    I appreciate the prompt expert assistance you have provided.
    Thank you,
    J.W.

    .

  6. #6

    Default Re: Security Concern

    # tumbleweed status
    latest : 20210810
    target : 20210810
    installed: 20210810

  7. #7
    Join Date
    Jun 2008
    Location
    East of Podunk
    Posts
    33,250
    Blog Entries
    15

    Default Re: Security Concern

    Quote Originally Posted by jwhitmor View Post
    # tumbleweed status
    latest : 20210810
    target : 20210810
    installed: 20210810
    Hi
    Get an SSD or NVME Looks good now

    It's likely packagekit services in the background...
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  8. #8

    Default Re: Security Concern

    Quote Originally Posted by jwhitmor View Post
    I am using Tumbleweed (Linux 5.13.4-1-default #1 SMP Thu Jul 22 15:55:06 UTC 2021 (91a0cca) x86_64) with Firefox 90.0.2.
    Lately the behavior has changed. There are frequent updates, sometimes daily, that are done during a power cycle (example shutdown). Previously, I just did DUP when I had time to allow it to run.
    My guess is that this is a GNOME feature; I can find this post on a Fedora forum that ironically is a concerned user trying to re-enable updates on-shutdown. Replies there link to Issue 1253 on the GNOME Gitlab’s issues system which ends with:

    Quote Originally Posted by user mcatanzaro at gitlab.gnome.org


    If I manually click on the Download button in the updates tab in GNOME Software, then it is able to successfully prepare an update, and I can install the update from the GNOME Shell power off dialog as usual. So I think the problem is GNOME Software is getting confused and never preparing the update for some reason. This must be a regression in 40, because in 3.38 updates were prepared way
    too frequently.
    So if you could check if the screenshot in the Fedora post is the same dialog you are/were seeing on shutdown, that may (somewhat) confirm that what you were seeing was a GNOME feature. That it does not ask for a password may the result of polkit, which is (I think) what allows GNOME’s Palimpsest Disk Utility to run without asking for elevation via gksudo or a similar sort of prompt.

    A bit of a tangent, but based on how the command line `shutdown` command functions, it is a bit strange that shutting down via the GUI usually does not require a password either, though that definitely predates polkit.

    One additional question, you mention using zypper’s dup command to update previously; I thought dup is only used on Leap to update between releases. Isn’t Tumbleweed a rolling release, and would therefore only need `zypper up` and `zypper patch`?

  9. #9
    Join Date
    Nov 2009
    Location
    West Virginia Sector 13
    Posts
    16,344

    Default Re: Security Concern

    Tumbleweed requires dup not up. If you use up you will break something

    Up is only on Leap. Every update on Tumbleweed is a distribution upgrade

  10. #10
    Join Date
    May 2018
    Location
    Québec city
    Posts
    44

    Default Re: Security Concern

    As said in the documentation : always use "zypper dup --no- allow-vendor-change' " to update tumbleweed following best practice.

    see : https://en.opensuse.org/Portal:Tumbleweed

    "zypper up" will only update. It normally won't remove a package that is no longer in the distribution (no longer in any repo).

    Most of the time, "zypper dup" is similar. But occasionally there's a major change to a software package that needs to remove some older packages to install new packages with different names. In that case, only "zypper dup" will work.

    Regards,
    BT

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •