root authorisation issue

Since installation of Leap 15.4 we have the option of installing software updates prior to power down.

I ask myself whether this is a good idea.

  1. With my desktop configuration a kind of yoyo process is started without my intervention: i.e. power off (with option set to install software updates, restart, power down, restart again to login, login, power off (no option to select software update). Why such a circuitous procedure?

  2. At no time during the above circuitous procedure am I asked for my root password, but the software is supposedly installed during the above process.The software installation is made without my root authorisation, which makes me ask: Who gave the update process root authorisation? Is this really a security issue?

You are using the update applet from your desktop to install updates. This uses packagekit in the background. The root authorization probably comes from policykit.

If you want to manually install software, that will still require root. If you want to add repos, that will still require root. But if you are just doing an update using the existing repos, then packagekit/policykit allow that. The assumption is that you approved the original install of the software and the repos, so you implicitly approve update.

At least I think that’s the theory. Personally, I disable the desktop update applet, and use “zypper” at the command line for updates.

Normally, I install notified software updates by starting YaST which requires the root password. However, the above-mentioned software update yoyo doesn’t require the root password at any time. In other words, a process with root privileges is activated at some time during the yoyo without my authorisation.

Using KDE, the update applet tells me that there are updates. If I click on it, I can install the updates. I’m not asked for the root password for that.

This is a decision that the openSUSE maintainers have made.

I could also use that update applet to install a new package. In that case, I would be required to give the root password.

The decision appears to be that installing approved updates to existing software from already configured repos should not require the root password.

You are perhaps using Gnome. I have that installed, but I do my best to disable the update applet in Gnome because I don’t like that yoyo that you describe.