Hello. I tested to run Software Updater in KDE Plasma. It installed updates without asking for any root password.
Is it as it should be or is it a security issue?
/Johan
Hello. I tested to run Software Updater in KDE Plasma. It installed updates without asking for any root password.
Is it as it should be
yes the software updater does not ask for a password, afaik it was the same with apper in 13.1 and 13.2.
is it a security issue?
could be it depends on your repositories and level of paranoia.
Still the software updater will not update unsigned packages so … you’re pretty safe.
[v] Paranoia, oh yes.
Well, then there is not a big issue, just me with little paranoia and some missing some understanding in programming to read all the code to feel totally safe. On 13.2 apper was the first to be disable (not installed)…
Big thanks !
well to be a security risk someone needs to get a hold of the sign key used by opensuse or packman, get access to their servers, create an updated rpm that you already have installed and publish it, is it possible sure why not, in reality I don’t think so.
you can also disable or uninstall the update applet and do your updates with zypper or yast.
Making it manual will only make difference if you check manually the source code for each package update that is released. IMHO unnecessary paranoia. If you just want to know what was upgraded, just check the logs 
You can just as well disable or uninstall the new updater applet, plasma5-pk-updates, or even PackageKit itself (both apper and plasma5-pk-updates are just frontends for that).
Or change the polkit rules to require a root password for installing updates… 
- How to disable(without uninstalling it) the software updates widget completely in openSUSE Leap KDE plasma ? i have unchecked it from system tray settings(under Extra items) , but i think it still shows up the notifications.
- If i try to remove plasma5-pk-updates i get
The following 4 packages are going to be REMOVED:
patterns-openSUSE-kde patterns-openSUSE-kde_imaging patterns-openSUSE-kde_plasma
plasma5-pk-updates
The following 3 patterns are going to be REMOVED:
kde kde_imaging kde_plasma
4 packages to remove.
After the operation, 181.7 KiB will be freed.
Continue? [y/n/? shows all options] (y):
Is it safe to remove these stuffs with along with it ?
- Removing PackageKit will affect the KDE alone or reflect with the other DE’s installed along like cinnamon,xfce etc… ?
Thanks for mentioning the name plsma5-pk-updates. I always uncheck Apper for installation, but nevertheless in my Leap 42.1 it had some update applet (which then gave an error about the network not being available when clicked, I guess because PackageKit isn’t there). And I didn’t know what to uncheck for installing to cure this.
IMHO it is a security issue, not end-users, but the system administrator should decide which patches/updates should be installed.
Not having PackageKit does prevent this of course, but then there is still the applet that the curious end-user sees and tries, giving some strange error (with which he then goes to the sysadmin, spoiling the time of both). The remark that the end-user can go and disable/remove the applet is of course not solving this. Things that he should not do, he also should not see. Should the system adminstrator login into every new user’s environment and do this as part of the creation of a new user?
I too was wondering about this, but hadn’t got around to finding the ‘offending’ package yet. It would be nice if it could simply be disabled via a KDE config utility IMHO.
I think the KDE config utility is again on the user level. I want to disable this system wide from the sysadmin level. It is the sysadmin that should decide if end-users are confronted with this aplet.
When the sysadmin decides that all the users should have it functioning and thus maybe fight who is the first that updates the system in the morning, then each individual user can decide for himself if he wants to join that or if he wants to disable/remove the aplet.
If you disabled it in the system tray settings, it should not show any notifications, as it should not even be loaded.
Check whether you have apper installed as well, it’s background service might be running and show those notifications.
If i try to remove plasma5-pk-updates i get
The following 4 packages are going to be REMOVED: patterns-openSUSE-kde patterns-openSUSE-kde_imaging patterns-openSUSE-kde_plasma plasma5-pk-updates
The following 3 patterns are going to be REMOVED:
kde kde_imaging kde_plasma
4 packages to remove.
After the operation, 181.7 KiB will be freed.
Continue? [y/n/? shows all options] (y):
Is it safe to remove these stuffs with along with it ?
This will only remove the patterns that require plasma5-pk-updates (directly or indirectly).
Removing a pattern will not uninstall any software/package. A pattern is just a list of packages that have to be/should be installed.
Removing PackageKit will affect the KDE alone or reflect with the other DE’s installed along like cinnamon,xfce etc… ?
Removing PackageKit will remove or break all PackageKit frontends.
I think most desktop’s updaters are just frontends for PackageKit, so it will probably affect all DE’s, yes.
YaST (and YaST Online Update) will of course continue to work, just as zypper will.
This might be true for a multi-user system with a dedicated admin, yes.
But remember that many people use Linux on their own private machines as the only user, as a “Windows-replacement” so to say.
A dedicated admin should be able to modify the system to their needs, while an inexperienced newbie user will not. An inexperienced user might not even be aware that he can install updates with YaST or zypper.
And not installing security updates is a security issue as well.
That’s why we have those automatic update notifiers.
And that’s why it has been decided by the security team (years ago) to allow installing updates by the user, without having to enter a password by default (depending on the security settings in /etc/sysconfig/security).
Should the system adminstrator login into every new user’s environment and do this as part of the creation of a new user?
Well, as you write, you can uninstall it.
You could also disallow users to install updates (or require the root password) in the polkit configuration, but then the applet will of course still show updates.
You could also even disallow the refresh of software repositories for users in the polkit configuration, so it should never show any updates, but the user will be confronted with error messages then I suppose.
So all in all, if you don’t want your users to see/install updates at all, it’s probably easier/better to uninstall PackageKit.
Thanks for the complete confirmation.
The main problem is that it is very difficult to find any documentation on how to convert your system from a Windows clone into a normal system administrator managed multi-user system.
And this is growing, bringing unpleasant and undocumented surprises.
An example exprienced on my first Leap 41.1 installation trial: to configure your NICs to your liking, you have to remove the ethernet cable befor you start installing (I don’t know if you have to remove yopur wifi card also). Ridiculous in my eyes, but the big “Read this first before installation” is stiill missinng IMHO.
Sorry for the off-topic.
I’d call that a bug.
This is during installation, or in the installed system?
One thing though: if the installer detects a wireless card, NetworkManager is enabled automatically, so the interface settings in YaST might not apply. That’s a deliberate choice as it makes configuring a WiFi connection easier for inexperienced users, and is also done since years.
OTOH, shouldn’t the network interfaces be configured automatically anyway?
Haven’t installed Leap on real hardware yet, only in vmware (without problems, although IIRC I had a problem with a misconfigured/not-working network interface after the installation when I tried the Beta).
but the big “Read this first before installation” is stiill missinng IMHO.
Well, there are the release notes which should be displayed during (before?) the installation.
Although not everything is mentioned there either of course, to put it this way…
This is during installation.
What in fact is missing (since earlier installations) is the all important choice: Automatic installation or not". that was almost at the beginning of the installation.
After the newby has chosen for Automatic (that was always the default checked one and that is fine with me), I have of course no objection against things going “automatic”.
But now the system (testsystem having only cable) got the wrong IP address, the wrong DNS server, the wrong NTP server. After asking here on the forums, I was adviced to remove the network cable before starting the installation. It then indeed asked me to configure the network. I first inserted the cable and then completed the configuration. When I did a new installation (for testing purposes), I of course forgot to remove the cable until it was to late. Start a new >:). In fact I gave up. I am till looking at that test system with disgust, but the poor hardware is of course not to blaame.
I realy can not see the replacement of the “Automatic or not” checkbox for the cable removing as an improvement. :sarcastic:
yes i installed apper in Leap to check it out,as it didn’t come along by default . Even after disabling Software updates widget in the system tray settings and trying- zypper up gives me
sudo zypper up
PackageKit is blocking zypper. This happens if you have an updater applet or other software management application using PackageKit running.
Tell PackageKit to quit? [yes/no] (no):
So this PackageKit thing runs in background even after disabling Software updates widget ? how to disable PackageKit ?
AFAIK the installer has been “streamlined” in 13.2 already.
I’m not sure at the moment how it exactly works now in this regard, I don’t often do fresh installations, except for testing in a VM where I don’t normally dive into the installation settings but rather take the defaults.
It should be possible to change this in the installation summary though, is that not so anymore?
As I said, you might have apper’s background service running, that still checks for updates.
You can disable it via “kcmshell4 kded”, or in KDE4’s systemsettings, but that’s not installed by default.
Or uninstall apper too, it’s the old KDE4 updater.
So this PackageKit thing runs in background even after disabling Software updates widget ? how to disable PackageKit ?
PackageKit only runs if something (e.g. plasma5-pk-updates or apper) is starting it. And it should shut itself down after 15 seconds of idleness.
You cannot really “disable” it (and there’s no need to). But you can of course uninstall it, if you don’t want to use it anyway.
I do not think it is repairable in the summary. Please look for yourself. I am not realy willing to start the install again. I did already several times. To check If I was senile and missed the Non/Automatic choice. It was not, and it’s absence was confirmed here on the forums, coming with the advice to remove the cable. So install #3. Then two installs broke down and also I sometimes forgot to remove the cable in time. Thus I gave up as I said above.
Also I do not want to hyjack this thread. So, when you want to continue on this subject, please go to https://forums.opensuse.org/showthread.php/512529-How-to-switch-off-quot-Automatic-Configuration-quot-duriing-installation
You write many users use Linux on their machines as only user, as a Windows replacement. Yes, and? Should we also have the same insecure system as Windows users have, where everyone being able to click a mouse-button becomes admin? I find it ridiculous.
I also am the only user on my computer and still I want to have a secure system where not I, the user, but I, the sysadmin, perform installations after identifying myself to the system using the root password. Only then am I allowed to write on the system disk. It’s like that with many (all??) other distro’s I have used.
Yesterday I installed OpenSuse Leap 42.1 in a VM and today I had updates which after clicking the install button were just installed. It looked to me the complete KDE system was updated, so not a small update. No password needed. Ridiculous. Sorry if I sound hard and cruel, but one of the reasons for me to chose Linux above Windows is the extra security you have. With this update system this is going down the drain.
Several years ago I read something about Microsoft and (Open)Suse working together. Is this one of the results of that? Wouldn’t surprise me.
I looked in /etc/sysconfig/security. What do I need to change there to have a secure system where I do need to type the password before something happens with the system disk?
I find that deduction ridiculous.
Just because a user is allowed to install updates (without root password) doesn’t mean that “everyone being able to click a mouse-button becomes admin”, and it doesn’t make the system insecure.
Not installing security updates can make the system insecure though, so it’s probably a good idea to make that as easy as possible.
Note that with the default settings it is only allowed to install updates without root password, not new packages.
Several years ago I read something about Microsoft and (Open)Suse working together. Is this one of the results of that? Wouldn’t surprise me.
That’s ridiculous too.
I looked in /etc/sysconfig/security. What do I need to change there to have a secure system where I do need to type the password before something happens with the system disk?
Set PERMISSION_SECURITY to “secure local” or even “paranoid local” (run “polkit_set_default_privs” as root afterwards to apply the change). You can do that in YaST->System->Security Center and System Hardening too.
But that has other implications as well, e.g. you won’t be able to mount removeable media without the root password any more.
If you only want to affect the updater, specify a custom polkit rule in /etc/polkit-default-privs.local (and again, run “polkit_set_default_privs” afterwards):
org.freedesktop.packagekit.system-update auth_admin_keep_always
“auth_admin_keep_always” means that the root password has to be entered, but it will be remembered during the running user session.
If you want to have to enter the password everytime, use “auth_admin” instead. See also “man polkit”.
And as has been mentioned in this thread already, you can also uninstall PackageKit if you prefer. YaST and zypper do require root permissions for every system modification.