ksmarttray and updates

[Stephen Boddy]

On Thursday 10 August 2006 15:34, Andreas Hanke wrote:
> Hi,
>
> Randy Smith schrieb:
> > (1) should be able to happen automatically if user is running ksmarttray
> > (2) should require root access
> >
> >
> > if running smart-update suid root enables (1) while still requiring the
> > root pw for (2), then I don't see that as a problem.
>
> That's exactly what happens if smart-update is suid root: It allows (1)
> by running "smart update" followed by "smart upgrade --check-update" as
> root, but (2) still requires the root password (this distinguishes smart
> from the stupid zen-updater).

This is what I did and why I did it. Believe me when I say I have examined all 
the source code involved, and checked that I haven't compromised system 
security.

Having said that, I am the sole user in my own private NAT'd network, meaning 
that, even if it somehow did (2) without needing root password, as long as 
the smart-update is not deliberately malicious, there is no risk with having 
the smart-update binary as setuid. This is because it achieves nothing that 
I, as the sole user, wouldn't do by entering root password for ksmarttray 
every time I log in. If it was a multi-user system and it did (2) without 
root password, then yes, it's a huge hole. However this is all moot, because 
with smart-update setuid, it works as required. The only reason not to set 
smart-update setuid is if a) you don't trust the smart packages, in which 
case you really shouldn't be using them to update your system, or b) you 
don't want regular users to be able to update the channel information, or be 
able to see that there are new updates. In that case just don't allow them to 
run ksmarttray and smart-update. For my use case (as close to YaST of old) 
the setuid smart-update is a perfect setup.

On a side note, Andreas, I recall Zen requiring root password to authorize a 
user to have the capability to update a system. So it's not totally 
brain-dead, but it does mean the system can subsequently be updated by that 
user without root password, and I'm not sure if there is some way to remove 
that right. I do prefer requiring root password each time the system packages 
are upgraded.

Christoph, it'd be nice if smart-update could be setuid, and remove the "Run 
as root" of ksmarttray in the suse packages. However, it's not a big deal if 
you have concerns and decide not to. I just think it makes it much more YaST 
like in its operation. While I'm not some security god, from my reading of 
the source, it is just a simple wrapper around standard smart functionality, 
and only gives the ability to do a very specific thing (update the channel 
info) without giving any other ability.

Regards
-- 
Steve Boddy