ksmarttray and updates
Stephen Boddy
stephen.boddy at btinternet.com
Thu Aug 10 09:33:49 PDT 2006
On Thursday 10 August 2006 17:21, Andreas Hanke wrote:
> Hi,
>
> Stephen Boddy schrieb:
> > On a side note, Andreas, I recall Zen requiring root password to
> > authorize a user to have the capability to update a system.
>
> Yes, but for the first time only. It grants that permission permanently
> and it grants more permissions by default than necessary. :(
>
> > So it's not totally
> > brain-dead, but it does mean the system can subsequently be updated by
> > that user without root password, and I'm not sure if there is some way to
> > remove that right.
>
> Only rug (the command-line tool) can be used to remove the privileges
> again.
>
> > I do prefer requiring root password each time the system packages
> > are upgraded.
>
> Me too. ;)
>
> > Christoph, it'd be nice if smart-update could be setuid, and remove the
> > "Run as root" of ksmarttray in the suse packages.
>
> You don't need to convince Crishtoph, you have to convince the security
> team, and this won't be easy. ;)
>
> Each setuid binary has to be audited and approved first and it has to be
> integrated into the permissions package, i.e. /etc/permissions*.
>
> Andreas Hanke
Well with 62 lines of c, 27 of which are comments or blank, leaving just 35
lines of actual code, it shouldn't be the hardest program to audit ;-)
However as a non-core package I suspect it would never get the setuid just on
those grounds.
--
Steve Boddy
More information about the Smart
mailing list