Ubuntu
aptdaemon package

update-manager does not obey require-password policy

Bug #1591672 reported by doekia on 2016-06-12

258

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	aptdaemon (Ubuntu)	Expired	Undecided	Unassigned

Bug Description

In order to enforce password check prior an update to occur, policy file was installed.

/var/lib/polkit-1/localauthority/50-local.d/require-password-to-update.pkla
[Require password to upgrade already installed software]
Identity=unix-group:admin
Action=org.debian.apt.upgrade-packages
ResultActive=auth_admin

Up to a recent update this was working as expected. No anymore.

What happens
------------
Updates are performed without requesting administrative password

Expected result
---------------
update-manager to request administrative password prior performing the update

System info
-----------
# lsb_release -rd
Description: Ubuntu 16.04 LTS
Release: 16.04

# dpkg -l | grep update-manager
ii python3-update-manager 1:16.04.3 all python 3.x module for update-manager
ii update-manager 1:16.04.3 all GNOME application that manages apt updates
ii update-manager-core 1:16.04.3 all manage release upgrades
# dpkg -l | grep policy
ii libnuma1:amd64 2.0.11-1ubuntu1 amd64 Libraries for controlling NUMA policy
ii libsemanage-common 2.3-1build3 all Common files for SELinux policy management libraries
ii libsemanage1:amd64 2.3-1build3 amd64 SELinux policy management library
ii plainbox-secure-policy 0.25-1 all policykit policy required to use plainbox (secure version)
ii policykit-1 0.105-14.1 amd64 framework for managing administrative policies and privileges
ii policykit-1-gnome 0.105-2ubuntu2 amd64 GNOME authentication agent for PolicyKit-1
ii policykit-desktop-privileges 0.20 all run common desktop actions without password

# apt-cache policy update-manager
update-manager:
  Installed: 1:16.04.3
  Candidate: 1:16.04.3
  Version table:
*** 1:16.04.3 500
        500 http://fr.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
        500 http://fr.archive.ubuntu.com/ubuntu xenial/main i386 Packages
        100 /var/lib/dpkg/status

# find /var/lib/polkit-1/localauthority
/var/lib/polkit-1/localauthority
/var/lib/polkit-1/localauthority/50-local.d
/var/lib/polkit-1/localauthority/50-local.d/require-password-to-update.pkla
/var/lib/polkit-1/localauthority/90-mandatory.d
/var/lib/polkit-1/localauthority/20-org.d
/var/lib/polkit-1/localauthority/10-vendor.d
/var/lib/polkit-1/localauthority/10-vendor.d/org.freedesktop.NetworkManager.pkla
/var/lib/polkit-1/localauthority/10-vendor.d/fwupd.pkla
/var/lib/polkit-1/localauthority/10-vendor.d/com.canonical.unity.webapps.pkla
/var/lib/polkit-1/localauthority/10-vendor.d/50-com.canonical.indicator.sound.AccountsService.pkla
/var/lib/polkit-1/localauthority/10-vendor.d/unity-greeter.pkla
/var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla
/var/lib/polkit-1/localauthority/30-site.d

Tags:

doekia (doekia) on 2016-06-12

tags:

added: dist-upgrade

Seth Arnold (seth-arnold) on 2016-06-13

information type:

Private Security → Public Security

Marc Deslauriers (mdeslaur) on 2017-08-18

no longer affects:

policykit-1 (Ubuntu)