Ubuntu

Update manager now requires two authentications

Reported by Jon Charge on 2009-10-11
44
This bug affects 6 people
Affects Status Importance Assigned to Milestone
aptdaemon (Ubuntu)
Undecided
Unassigned

Bug Description

Binary package hint: update-manager

What happens:

Root password is required to "query the software repositories". Updating the cache.

Root password is required to "install updates".

What should happen:

Root password should not be required to query and update.

Principle of least privilege.

THank you for your consideration, and this is for karmic.

ProblemType: Bug
Architecture: i386
Date: Sun Oct 11 09:58:13 2009
DistroRelease: Ubuntu 9.10
ExecutablePath: /usr/bin/update-manager
InterpreterPath: /usr/bin/python2.6
NonfreeKernelModules: nvidia
Package: update-manager 1:0.126
PackageArchitecture: all
ProcEnviron:
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.31-11.38-generic
SourcePackage: update-manager
Uname: Linux 2.6.31-11-generic i686

Jon Charge (seropith) wrote :
Kåre Birger Lapstuen (lapstue) wrote :

Confirming the bug, as I've experienced this myself.

Changed in update-manager (Ubuntu):
status: New → Confirmed
pablomme (pablomme) wrote :

I can confirm this on two different installations of karmic, and it has been happening for a few days.

I've also noticed that the PolicyKit action list (System > Administration > Authorisations) only contains org.freedesktop.policykit and com.ubuntu.checkbox -- shouldn't update-manager (and a bunch of other stuff) appear there as well?

pablomme (pablomme) on 2009-10-12
affects: update-manager (Ubuntu) → aptdaemon (Ubuntu)
pablomme (pablomme) wrote :

The problem seems to be that action "org.debian.apt.update-cache", contained in file /usr/share/polkit-1/actions/org.debian.apt.policy, now has all the "allow"s set to "auth_admin[_keep]" instead of "yes". Changing these by hand brings back passwordless checking of repositories. This .policy file is provided by package aptdaemon.

I'm still wondering, though -- shouldn't polkit-gnome-authorization display all the entries in /usr/share/polkit-1/actions in addition to the ones in /usr/share/PolicyKit/policy?

pablomme (pablomme) wrote :

Bug #448192 addresses the polkit-gnome-authorization issue.

Sebastian Heinlein (glatzor) wrote :

Actually the default policy allows every user who sits in front of the computer to update the package cache. Do you run from a VNC/remote session?

Aptdaemon uses PolicyKit-1. AFAIK there isn't yet any graphical admin client for PolicyKit-1

Rocko (rockorequin) wrote :

I get this bug too and I'm definitely not running from a VNC or remote session.

pablomme (pablomme) wrote :

> Actually the default policy allows every user who sits in front of the computer to
> update the package cache. Do you run from a VNC/remote session?

Nope. The relevant bit of /usr/share/polkit-1/actions/org.debian.apt.policy, as installed by aptdaemon, is:

  <action id="org.debian.apt.update-cache">
    <description>Update package information</description>
    <message>Authentication is required to query the software repositories for installable packages</message>
    <defaults>
      <allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
      <allow_active>auth_admin_keep</allow_active>
    </defaults>
  </action>

The above matches the behaviour we have been seeing. Changing "auth_admin" and "auth_admin_keep" to "yes" works as expected, removing the need to authenticate.

Nicolò Chieffo (yelo3) wrote :

Is there a way to only allow a specified user?

Nicolò Chieffo (yelo3) wrote :

(or a specific group?)

Jon Charge (seropith) wrote :

I'm running a normal desktop session. Nothing remote or abnormal.

pablomme (pablomme) wrote :

@Nicolò:

Create a file /var/lib/polkit-1/localauthority/50-local.d/localhost.pkla (as root) with the following contents:

[Allow myself updating packages]
Identity=unix-user:<user-name>
Action=org.debian.apt.update-cache
ResultAny=no
ResultInactive=no
ResultActive=yes

You can also replace 'unix-user:<user-name>' with 'unix-group:<group-name>'. A semicolon-separated list is also allowed. You can of course set all three 'Result*' to 'yes' if you wish. And the title "Allow myself ..." is also entirely arbitrary. See more in 'man 8 pklocalauthority'. Type 'pkaction' for a list of other actions you can tweak the authorisation requirements for.

Sebastian Heinlein (glatzor) wrote :

Sorry the default policy was changed by/in Ubuntu. You are correct about this issue.

pablomme (pablomme) wrote :

@Sebastian: was the policy change intended, then?

pablomme (pablomme) wrote :

Hmm.. The latest update-manager 1:0.126.2 seems to have reverted to using gksudo for authentication - and possibly not using aptdaemon (!?). Can anyone confirm this, or did I mess something up badly? If this is correct, this bug would be resolved (not in the way I would have expected, though).

Sebastian Heinlein (glatzor) wrote :

Right. Update-manager now uses the synaptic backend again since we don't think that aptdaemon can provide the same stability now. But as it will improve things may change in the next release of Ubuntu.

The policy change was intended since it is now possible to set the HttpProxy for a cache update. This would result in a leak of usernames and passwords in the sources url, e.g. "deb http://joe:<email address hidden>/ubuntu karmic main".

pablomme (pablomme) wrote :

I see. I'll mark the bug as fixed, then.

Changed in aptdaemon (Ubuntu):
status: Confirmed → Fix Released
Guria (guria) wrote :

In Maverick Update Manager asks password twice: on check and on install updates

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers