601782 – Update Applet - su/root password always needed (illogical default entry in policy kid?)

Bug 601782 - Update Applet - su/root password always needed (illogical default entry in policy kid?)

Summary: Update Applet - su/root password always needed (illogical default entry in po...

Status:	RESOLVED WONTFIX

Alias:	None

Product:	openSUSE 11.4
Classification:	openSUSE
Component:	KDE4 Workspace (show other bugs)
Version:	Final
Hardware:	All openSUSE 11.4

Priority:	P5 - None Severity: Normal with 3 votes (vote)
Target Milestone:	Final
Assignee:	E-mail List
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2010-05-02 17:08 UTC by Martin Seidler
Modified:	2012-03-24 21:24 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Martin Seidler 2010-05-02 17:08:44 UTC

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100317 SUSE/3.5.9-0.1.1 Firefox/3.5.9

I.
1. I have a problem with my "Update Applet 2.28.0" in GNOME (The same in KDE 4.3.5). It occurs when I want to make the applet do one or more suggested update(s). It always asks me for the password of superuser/root:
"Authenticate : Authentication is required to update packages. [...]".

I think under my installation before (11.1 maybe updated from an older version) I could tell the automatic/semi automatic updater to remember the su password (in YaST or in the authentication dialog?).

2.
It is also a documentation bug:
In the help manual on my computer (and in the internet) there is the possibility to make the updater remember the password via policy kit:
("Access to all privileged operations is controlled via PolicyKit." See: GNOME Documentation Library : gnome-packagekit Manual : Introduction)

II. That policy make no sense:

1. The necessarily to use the root password should be reserved to actions you should think about twice and not to normal (security) updates.

2. The default policies are just contradictorily to the possible risk:

2. 1.They allow (by default) the root/someone with a root password
2.1.1 to tell the system to update complete automatically (without any human thinking or intentional acting)
2.1.2 to give (in KDE) a normal user access to the hole graphical operating system setup and configuration tool (/sbin/yast2).

2.2. But they allow not the automatic updater to remember the root password. (With a change in the policies the root may be able to change that?)

2.2. In contrast to that in my knowledge:
2.2.. The GNOME "Update Applet 2.28.0" (and the KDE equivalent) can only install the suggested updates (or not, if access to the cosing is given to that) so the risk is lower.
2.3. But by default you cannot tell the updater to save the root password.

Reproducible: Always

Steps to Reproduce:
1. Wait for an suggested automatic update.
2. Click on the red star with "!"
3. Click on "install updates"
Actual Results:
The Update Applet asks for the root password every time.

Expected Results:
To the user the choice/alternative the choice should be given to save the root password for the Update Applet (so it is not needed in the next case).

http://www.novell.com/documentation/opensuse111/opensuse111_security/data/sec_policykit_types.html#sec_policykit_policies_implicit
http://www.novell.com/documentation/opensuse111/opensuse111_security/?page=/documentation/opensuse111/opensuse111_security/data/sec_policykit_change.html
http://hal.freedesktop.org/docs/PolicyKit/

Comment 1 Ludwig Nussel 2010-05-03 07:19:18 UTC

polkit1 unfortunately dropped the option to remember the authorization. You need to complain to upstream to change that.

You can change the setting to not ask for the root password on your local machine in /etc/polkit-default-privs.local

Comment 2 Martin Seidler 2010-05-03 08:27:50 UTC

(In reply to comment #1)
> polkit1 unfortunately dropped the option to remember the authorization. You
> need to complain to upstream to change that.
> 
> You can change the setting to not ask for the root password on your local
> machine in /etc/polkit-default-privs.local
Thanks Ludwig for your answer.

But unfortunately I have not understood all:
 
1. Where to complain? Upstream?
http://en.opensuse.org/Build_Service/Upstream_Integration
http://en.opensuse.org/Updater_Applet
http://en.opensuse.org/GNOME_Updater_Applet

2. ???
Add in /etc/polkit-default-privs.local:
"org.freedesktop.updater_applet                  auth_admin_keep_always:yes:yes"
OR
"org.gnome.packagekit auth_admin_keep_always:yes:yes"
???
And what is with KDE?

3. What is about the documentation via the connected help files which fit not to the openSuSE version?

Greetings
Martin

Comment 3 Eric Schirra 2010-07-27 16:42:09 UTC

Bug is not resolved!
The same is in openSUSE 11.3 Final. 64bit and 32bit

Comment 4 Martin Seidler 2010-07-27 19:05:02 UTC

Seems to be connected to https://bugzilla.novell.com/show_bug.cgi?id=619523
#619523  Can't change Actions policy via System Settings

See also:
http://lists.opensuse.org/opensuse-de/2010-07/msg01023.html
http://forums.opensuse.org/english/get-help-here/applications/438054-update-applet-su-root-password-always-needed-gnome.html

Should the "Product" be changed to the latest version with the bug (11.3) as E.S. is referring to that version?

Why is "Depends on:" empty? Should this not be "polkit-1" or "Policy Kit version since 0.9x (0.92 ?)".

And what is the purpose in using the new Policy Kit versions at all for the Update Applet - are the old versions not still included and could still be used?

Comment 5 Christian Trippe 2012-03-24 21:24:42 UTC

AFAIK polkit still does not allow to remember the root password. For openSUSE 12.1 at least the UI was removed which suggested this should work, see bug 680586.

So this bug is probably best treated as WONTFIX.