| Summary: | urpmi.update can be used by regular users despite draksec setting for root | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | claire robinson <eeeemail> |
| Component: | RPM Packages | Assignee: | Mageia Bug Squad <bugsquad> |
| Status: | RESOLVED OLD | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | ennael1, mageia, mageia, sharpzq4300, thierry.vignaud |
| Version: | 3 | ||
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| Whiteboard: | MGA2TOO | ||
| Source RPM: | urpmi | CVE: | |
| Status comment: | |||
|
Description
claire robinson
2013-06-13 18:02:56 CEST
claire robinson
2013-06-13 18:03:12 CEST
Whiteboard:
(none) =>
MGA2TOO
claire robinson
2013-06-13 18:03:44 CEST
CC:
(none) =>
ennael1, mageia, mageia, thierry.vignaud
Adam H
2013-06-13 20:45:03 CEST
CC:
(none) =>
sharpzq4300 Not sure how relevant this is, but when the Desktop is logged-out, and a user accesses through sshd, the behaviour changes. One cannot make changes, and gets the message: - [user@localhost ~]$ urpmi.update -a The password you typed is invalid. Please try again. - no opportunity to type a password is ever presented. I think it's deliberate that it can be run as a regular user as it uses consolehelper which ultimately ties the config to /etc/pam.d/urpmi.update file which has:
#%PAM-1.0
auth sufficient pam_rootok.so
auth required pam_console.so
account required pam_permit.so
session optional pam_xauth.so
The lack of a "auth include system-auth" here means it just lets the user run it. I think it's intended that this works as mgaapplet runs it and it needs to update the media without bothering the user for passwords all the time.
That said when the --ignore and --no-ignore options were added, this may not have been fully appreciated.
Looking at other consolehelper tools and their pam configs:
[colin@jimmy ~]$ for tool in $(ls -l /usr/bin | grep "> .*consolehelper\*$" | awk '{ print tolower($9) }'); do grep -Hc system-auth /etc/pam.d/$tool; done
/etc/pam.d/drak3d:1
/etc/pam.d/drakauth:1
/etc/pam.d/drakboot:1
/etc/pam.d/drakclock:0
/etc/pam.d/drakconnect:1
/etc/pam.d/drakfont:1
/etc/pam.d/drakgw:1
/etc/pam.d/drakhosts:1
/etc/pam.d/drakkeyboard:0
/etc/pam.d/draklog:1
/etc/pam.d/drakmouse:0
/etc/pam.d/draknetcenter:0
/etc/pam.d/draknetprofile:1
/etc/pam.d/drakproxy:1
/etc/pam.d/drakroam:1
/etc/pam.d/drakrpm-edit-media:1
/etc/pam.d/drakups:1
/etc/pam.d/drakvpn:1
/etc/pam.d/drakxservices:1
/etc/pam.d/gnome-system-log:3
grep: /etc/pam.d/gurpmi2: No such file or directory
/etc/pam.d/hddtemp:0
grep: /etc/pam.d/hp-setup: No such file or directory
/etc/pam.d/mageiaupdate:1
grep: /etc/pam.d/mgaapplet-config: No such file or directory
grep: /etc/pam.d/mgaapplet-upgrade-helper: No such file or directory
/etc/pam.d/rfkill:0
/etc/pam.d/rpmdrake:1
grep: /etc/pam.d/shutdown: No such file or directory
/etc/pam.d/system-config-printer:0
grep: /etc/pam.d/unetbootin: No such file or directory
/etc/pam.d/urpmi.update:0
/etc/pam.d/userdrake:1
/etc/pam.d/xfdrake:1
Most look OK to me (not sure about shutdown... it's not owned by any package and shouldn't be using consolehelper these days... might be left over on my machine will have to check one of my VMs)
I guess we just need to move the --ignore/--not-ignore options to a different tool?
@Thierry, wdyt?
Mageia 3 changed to end-of-life (EOL) status 4 months ago. http://blog.mageia.org/en/2014/11/26/lets-say-goodbye-to-mageia-3/ Mageia 3 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Mageia please feel free to click on "Version" change it against that version of Mageia and reopen this bug. Thank you for reporting this bug and we are sorry it could not be fixed. -- The Mageia Bugsquad Status:
NEW =>
RESOLVED |