ksmarttray and updates
Stephen Boddy
stephen.boddy at btinternet.com
Thu Aug 10 09:08:14 PDT 2006
On Thursday 10 August 2006 15:34, Andreas Hanke wrote:
> Hi,
>
> Randy Smith schrieb:
> > (1) should be able to happen automatically if user is running ksmarttray
> > (2) should require root access
> >
> >
> > if running smart-update suid root enables (1) while still requiring the
> > root pw for (2), then I don't see that as a problem.
>
> That's exactly what happens if smart-update is suid root: It allows (1)
> by running "smart update" followed by "smart upgrade --check-update" as
> root, but (2) still requires the root password (this distinguishes smart
> from the stupid zen-updater).
This is what I did and why I did it. Believe me when I say I have examined all
the source code involved, and checked that I haven't compromised system
security.
Having said that, I am the sole user in my own private NAT'd network, meaning
that, even if it somehow did (2) without needing root password, as long as
the smart-update is not deliberately malicious, there is no risk with having
the smart-update binary as setuid. This is because it achieves nothing that
I, as the sole user, wouldn't do by entering root password for ksmarttray
every time I log in. If it was a multi-user system and it did (2) without
root password, then yes, it's a huge hole. However this is all moot, because
with smart-update setuid, it works as required. The only reason not to set
smart-update setuid is if a) you don't trust the smart packages, in which
case you really shouldn't be using them to update your system, or b) you
don't want regular users to be able to update the channel information, or be
able to see that there are new updates. In that case just don't allow them to
run ksmarttray and smart-update. For my use case (as close to YaST of old)
the setuid smart-update is a perfect setup.
On a side note, Andreas, I recall Zen requiring root password to authorize a
user to have the capability to update a system. So it's not totally
brain-dead, but it does mean the system can subsequently be updated by that
user without root password, and I'm not sure if there is some way to remove
that right. I do prefer requiring root password each time the system packages
are upgraded.
Christoph, it'd be nice if smart-update could be setuid, and remove the "Run
as root" of ksmarttray in the suse packages. However, it's not a big deal if
you have concerns and decide not to. I just think it makes it much more YaST
like in its operation. While I'm not some security god, from my reading of
the source, it is just a simple wrapper around standard smart functionality,
and only gives the ability to do a very specific thing (update the channel
info) without giving any other ability.
Regards
--
Steve Boddy
More information about the Smart
mailing list