|
Bugzilla – Full Text Bug Listing |
| Summary: | opensuse-updater shows error message in tooltip | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE 10.2 | Reporter: | Christian Boltz <suse-beta> |
| Component: | Update Problems | Assignee: | Duncan Mac-Vicar <dmacvicar> |
| Status: | RESOLVED WONTFIX | QA Contact: | Jiri Srain <jsrain> |
| Severity: | Normal | ||
| Priority: | P5 - None | CC: | aj, andreas.hanke, harbrink, security-team |
| Version: | Beta 2 | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| Whiteboard: | |||
| Found By: | Other | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Attachments: | screenshot | ||
Created attachment 103118 [details]
screenshot
chmod +s /usr/sbin/zypp-checkpatches-wrapper That should be done by the package by the way. what version of libzypp and permissions.rpm do you have? # rpm -q libzypp permissions libzypp-2.5.2-4 permissions-2006.10.16-5 (I chroot'ed to my 10.2 installation to get this information, therefore I don't know if the chmod command fixes the issue. However, I chmod'ed the file now and will see the result when I boot 10.2 beta again.) Ok, please close the bug if it works. (In reply to comment #4) > Ok, please close the bug if it works. Without having it tested: It probably wont work for a long time... # grep zypp-check /etc/permissions* /etc/permissions.easy:/usr/sbin/zypp-checkpatches-wrapper root:root 4755 /etc/permissions.paranoid:/usr/sbin/zypp-checkpatches-wrapper root:root 0755 /etc/permissions.secure:/usr/sbin/zypp-checkpatches-wrapper root:root 0755 (just checked: these values are still used in the current Factory package permissions-2006.10.16-6.i586.rpm.) Needless to say that I use "secure" permissions. What's the reason to drop the suid bit in this case? BTW: I can't access bug 211286 which is mentioned in permissions.* above the quoted lines :-( What's the security teams point of view here? in secure mode the setuid root bit should be off. in "secure" mode we do not trust the user with system administrative duties, so an admin should use su or similar to do administrative stuff. If you want to override this decission, adjust permissions.local or similar. (In reply to comment #7) > in secure mode the setuid root bit should be off. > > in "secure" mode we do not trust the user with system administrative duties, > so an admin should use su or similar to do administrative stuff. Hmm, what about zen-updater? It even grants _permanent_ permissions once you entered the root password ;-) Seriously: Now that some test updates are available, I could test opensuse-updater a bit more. The only thing a user can do without knowing the root password is "check for updates". I don't know why this is considered security relevant. (He could also call rpm -q to check for outdated/vulnerable packages.) (Before actually installing any patch, the root password is requested.) Anyway: If you don't set the suid bit for zypp-checkpatches-wrapper in permissions.secure, at least implement a better error message that is more helpful for the user (it should at least contain a hint _which_ program needs to be chmod'ed suid-root). Yes, a better message might be useful. But for the rest - if you are running in secure mode, you should not update the system as a user, not even an applet running and checking periodically over a network if there are new updates. IMO there is no reason for the applet to even run in the secure mode. The reason why we need suid is that ZYPP stores sensitive information in its database (e.g. FTP password) and checking the update status is using this information. closing, better message in future versions. *** Bug 228518 has been marked as a duplicate of this bug. *** mass reopening all 10.2 LATER+REMIND bugs. close all 10.2 LATER/REMIND bugs as WONTFIX. Reopen yourself if you still plan to work on it. |
(using Factory from last night) I just updated from 10.1 to Factory and created a new user. openSUSE-updater shows an error message in its tooltip: Error: helper program returned: setuid: Operation not permitted Forgot to chmod this program? I'm not sure which information would be helpful in this case, so: just ask ;-)