Update Applet - su/root password always needed (GNOME)

Hi members of the openSuSE forums,

I have a minor problem with my “Update Applet 2.28.0” in Gnome. It occurs when I want to make the applet do one or more suggested update(s). It always asks me for the password of superuser/root:
“Authenticate : Authentication is required to update packages. …]”.

I think under my installation before (11.1 maybe updated from an older version) I could tell the automatic/semi automatic updater to remember the su password (in YaST or in the authentication dialog?).

In the help manual on my computer (and in the internet) there is the possibility to make the updater remember the password via policy kit:
(“Access to all privileged operations is controlled via PolicyKit.” See: GNOME Documentation Library : gnome-packagekit Manual : Introduction)
I could not find any policy kid or any other possibility to give to the automatic updater (or its user) that privilege permanently (=to remember authorization).

I think on a system with more (real) users this could be a real problem (not just an inconvenience).

Greetings
pistazienfresser

Users should never have the power to update or install software on a system. Only the root user should have that power. This is why Windows goes sideways so often, people installing arbitrary code.

In Yast You can set updates to be automagic.

I do not want to give an user the power to install “arbitrary code” only to say yes (or no, not now) to the automatic installation of the automatic updater and maybe also to give a trusted user also the power to choose which of the automatic suggested packages are installed now.

Thanks, I had found that possibility in (graphical) YaST>“Online Update Configuration”. But it seems to me only the possibility for full automatic installation and not for any check of the user.

So in openSUSE’s GNOME the root can only choose between a full untrusted user or a full trusted user?
If I need something different I have to make a user a sudoer/a member of sudoers?
This seems at least very uncomfortably for me.

Greetings
pistazienfresser

All linux/*nix systems are multiuser - they were built like that form the start.
root is the only user that has superpowers to change everything, regardless of the consequences.
Some distros, like ubuntu, are trying to convert people from windows so only require the sudo password. For most others, root or su is a separate entity.
This requires that you are the administrator of the system before you can make any changes/updates and stops the normal user from damaging the system.
Having said that, I am sure you could run a script using zypper and cron to automatically update the system. Just make sure you have the security set correctly.
If you are wanting to vet and then push the selected updates to the workstation machines, you are probably better off running the updates from your own local update server.

The Policy Kit/PolicyKit seems to be included in openSUSE since version openSUSE 10.3: PolicyKit - Wikipedia, the free encyclopedia

In my KDE 4.3.5 it seems to me a user who knows the su-password would be able to gain permanent access to the hole graphical YaST (witch includes ALL software changes): The Implicit Privileges include “Keep Indefinitely Authentication” for the hole graphical YaST.
And possibility to give a user access to the automatic update applet (with fewer risks) is also not set there by default.

Especially on a laptop it would be fine for an user to decide if a update should made now or not (urgency to do something else, time left to run the computer, energy status, modus and stability of internet connection etc.)

So would it not be a more adequate and simpler (and maybe for me manageable) workaround to modify the entries in PolicyKit?

Can anybody give me (more) advice(s) if and how I should do this?

Should I add only “gnome-packagekit” (and maybe the packagekit in KDE) in More Applications > Tools > Authorizations: org>opendesktop>policykid>Modify defaults for implicit authorizations>Implicit Autorsations OR Explicit Autorisations?

Greetings pistazienfresser

[Documentation](file:///usr/share/doc/manual/opensuse-manuals_en/manual/index.html) > [Security Guide](file:///usr/share/doc/manual/opensuse-manuals_en/manual/book.security.html) > [Local Security](file:///usr/share/doc/manual/opensuse-manuals_en/manual/part.local_security.html) > [PolicyKit](file:///usr/share/doc/manual/opensuse-manuals_en/manual/cha.security.policykit.html) > Modifying and Setting Privileges (9.3)
= in: Novell Documentation

PolicyKit Library Reference Manual

pistazienfresser wrote:
> Can anybody give me (more) advice(s) if and how I should do this?

to me, it sounds like you allow others to use your machine…that is
ok if you want to allow it, but do they have it for (say) several days
or weeks at a time? if not, i wouldn’t consider it anywhere near
necessary to give them the chance to say yes or no to an update…

i mean, it is not like you have a frail Redmond system where at any
second a new crippling virus or malware is loosed…

so, i vote no…i say keep ONLY you as machine owner and administrator
with the root password and access to all system controls and upgrade
capability…

otoh: it is your machine, you can allow the cake maker on the corner
to have full access, if you wish.

[and, i hope you know that if whoever you loan it to wants to they CAN
perform all root operations they wish, very soon after you are out of
sight–that is to say, if you do not control the physical access to
the machine, there is NO security whatsoever.]


DenverD (Linux Counter 282315)
CAVEAT: http://is.gd/bpoMD
posted via NNTP w/TBird 2.0.0.23 | KDE 3.5.7 | openSUSE 10.3
2.6.22.19-0.4-default SMP i686
AMD Athlon 1 GB RAM | GeForce FX 5500 | ASRock K8Upgrade-760GX |
CMedia 9761 AC’97 Audio

@pistazienfresser: stop what you’re trying. Imagine the user updating the kernel by ‘applet’. After update the ‘Reboot’ message comes, NVIDIA driver missing, oops. Or should the installer/updater also be aware of the security level of the user, and leave some packages out of updating? I’m glad that I’m the one on my machines that does the installing and updating (being the only one that has the rootpassword).

Hi Forum-Members,
back to my question:
Has anyone experiences with “Modifying and Setting Privileges”?
Greetings pistazienfresser

Hi Knurpht and DenverD,
thanks for your concern.
@Knurpht
a) Your example speaks more for my wanted policies and against the actual default (especially in the actual KDE where the root can give an user access to the complete graphic YaST just by ONE click more).
b) For your hypothetical case: The root can tell the Update Applet/automatic updater via “Software Updates Preferences” in which time intervals (week etc.) to look after major updates (witch would be kernel updates or not?). Why should the automatic updater suggest an update to a complete other kernel? (And if so: a full automatic update would leave just less chance to prevent that!)

@DenverD
a) I use my machine now alone. But the automatic updater is for me a convenient alternative to an often update with the graphical YaST>software manager OR Software update
b) If I would set up a computer with linux for my sister or an other user that does not want to bother which updates are useful but wants to decide when to update.
c) Your warning for the access to my machine make sense, thanks (I was aware of that): I think the use an encrypted partition for my data will be the chose (but that is complete an other theme and should have an other title.)

Greetings pistazienfresser

Why should they update in the first place? Install, update, install codecs, drivers etc., configure firewall, done. Nothing unsecure or whatever.

Systemadminstration has to be done by a systemadminsitrator. Not sometimes by the user, sometimes by the sysadmin. The separation system vs. users is one of the main items in linux security, let’s please not break that.

If you want to discuss the question if linux systems need updates at all please open a new thread.

In the current policies:

  • by a few clicks from the root:
    in the future updates can be made by the system full automatically (and so without any system administrator only by the user been logged in an connected to the internet)
  • in KDE 4.3.5 by only one click from a user/admin who knows the root password the user can get access to nearly the hole system administration (via the graphical YaST /bin/yast2)

So thanks for the argument that this default policy makes no sense but please start a new thread (General Chit-Chat - openSUSE Forums ?) to discuss that.

Greetings
pistazienfresser

Hi forum users!

I would appreciate if someone would write something about the theme of the tread. But until now it seems to me this is more a case for the bug report as here no one seems to be able and willing to tell me how to change that inconsistent default policies.

Greetings
pistazienfresser

You are the only one that seems to think it is inconsistent.

If you think it is a bug report it. When the developers stop laughing they may even reply.

gogalthorp wrote:
> they may even reply.

doubt it.


DenverD (Linux Counter 282315)
CAVEAT: http://is.gd/bpoMD
posted via NNTP w/TBird 2.0.0.23 | KDE 3.5.7 | openSUSE 10.3
2.6.22.19-0.4-default SMP i686
AMD Athlon 1 GB RAM | GeForce FX 5500 | ASRock K8Upgrade-760GX |
CMedia 9761 AC’97 Audio

Thanks to PolicyKit/polkit/polkit-1 it is solved although their difference (no real memory possible) seems to have produced that strange change in openSUSE 11.2, too.
Greetings
pistazienfresser

Could you explain this a bit more? No sarcasm or whatever. Never was anyway, I’m just not the one that’s cooperating in what IMHO means breaking security.
I understand you’re trying to create a situation that will have everything in it, but to me that’s going to something like a windu system, where all 11 users have admin rights, since they need to install their own games.
Yes, in the (near?) future, admins(!) will be able to enable/disable fully automated updating, even upgrading. Still the admin will enable/disable this, set whether the user will see something and what.

I gave my main normal user the right to start
“Action=org.freedesktop.packagekit.system-update”.
For that I tried first the old PolicyKit (“polkit”).
After this worked not i tried the new version of Policy Kit (“polkit-1”) and had success.
This user can now start a Update-Prozess without entering the root password.
As the new Policy Kit has not any more the function to save the root password for ever (see: polkit) I gave this one normal user the power to start the update process without any password. Maybe I will change it to a state in which this user will need his own password every time.

If there is the possibility to security lacks I will not post here a detailed “How-To” for this workaround. Shall I mail you more details?

As I understand it I gave only one user to do (or do not!) one process.
According to my knowledge the Gnome Update Applet is only able to do updates not installing new programs:
“Keeping the System Up-to-date” (Start-Up, Chapter 3, Installing,
Removing and Updating Software)
Novell Documentation (all following Quotes are from that)

As I understand it:
The process started by the (KDE and) Gnome Update Applet even cannot install new versions with new/ characteristics (upgrates) by default:

"openSUSE offers a continuous stream of software security patches for your product. The updater applet informs you about the availability of patches and lets you easily install them with just a few clicks. "
…]
NOTE: Patches vs. New Versions The patches offered by openSUSE either fix security holes or serious errors in the software. A patch normally does not upgrade to a newer version and does not offer additional functionality. A new program version offered by the community may offer fixes, too, but primarily adds new functionality.”
…]
"The updater applet does not monitor repositories for new software versions by default. To enable this feature, open the configuration window as described in [Section 3.3.1.3, “Configuring the Updater Applet”](file:///usr/share/doc/manual/opensuse-manuals_en/manual/sec.updater.html#sec.updater.kde.config) and tick the check box Show Available Upgrades When Back-End Provides Them check box. "

Some disadvantages of full automatic updates are shown there:
GNOME Updater Applet/Update Process on the Desktop/Automatic Updates - openSUSE
Why should a normal user not start (or not start) a (then: half) automatic update process?
So at least the user could take a look at the updates (“4 eyes”) and make no updates if to him something seem stange. As well I could decide to do no update if the time suits not.
Maybe it would be able to make a full automatic update in longer terms as well as a fallback?
I think the default situation in 11.2 and Gnome may seduce a administrator to give the root password to a normal user.

In KDE the Updater Applet seems still to be ‘able’ to remember the root password:
“4
In case you have started the patch installation for the first time, you will be
asked to enter the root password in order to proceed. If you also check Remember
authorization you will never be asked again to provide the password.”
(According to above linked “Start-Up”: 3.3.1 Using the KDE Online Update Applet). Maybe there is still the old PolicyKit used?

Greetings
pistazienfresser