Noticed by ca-on-adam whilst learning QA. Tested and found to affect mga2 and mga3 urpmi.update can be issued by a regular non-root user eg.. $ urpmi.update --no-ignore "Core Updates Testing" $ urpmq --list-media active Core Release Core Updates Core Updates Testing Nonfree Release Nonfree Updates Tainted Release Tainted Updates Core 32bit Release Core 32bit Updates Nonfree 32bit Release Nonfree 32bit Updates Tainted 32bit Release Tainted 32bit Updates $ urpmi.update --ignore "Core Updates Testing" $ urpmq --list-media active Core Release Core Updates Nonfree Release Nonfree Updates Tainted Release Tainted Updates Core 32bit Release Core 32bit Updates Nonfree 32bit Release Nonfree 32bit Updates Tainted 32bit Release Tainted 32bit Updates Potentially.. $ urpmi.update --ignore "Core Updates" or worse. The settings in draksec are as default: Software Management : Root Mageia Update : User Software Media Manager : Root Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA2TOO
CC: (none) => ennael1, mageia, mageia, thierry.vignaud
CC: (none) => sharpzq4300
Not sure how relevant this is, but when the Desktop is logged-out, and a user accesses through sshd, the behaviour changes. One cannot make changes, and gets the message: - [user@localhost ~]$ urpmi.update -a The password you typed is invalid. Please try again. - no opportunity to type a password is ever presented.
I think it's deliberate that it can be run as a regular user as it uses consolehelper which ultimately ties the config to /etc/pam.d/urpmi.update file which has: #%PAM-1.0 auth sufficient pam_rootok.so auth required pam_console.so account required pam_permit.so session optional pam_xauth.so The lack of a "auth include system-auth" here means it just lets the user run it. I think it's intended that this works as mgaapplet runs it and it needs to update the media without bothering the user for passwords all the time. That said when the --ignore and --no-ignore options were added, this may not have been fully appreciated. Looking at other consolehelper tools and their pam configs: [colin@jimmy ~]$ for tool in $(ls -l /usr/bin | grep "> .*consolehelper\*$" | awk '{ print tolower($9) }'); do grep -Hc system-auth /etc/pam.d/$tool; done /etc/pam.d/drak3d:1 /etc/pam.d/drakauth:1 /etc/pam.d/drakboot:1 /etc/pam.d/drakclock:0 /etc/pam.d/drakconnect:1 /etc/pam.d/drakfont:1 /etc/pam.d/drakgw:1 /etc/pam.d/drakhosts:1 /etc/pam.d/drakkeyboard:0 /etc/pam.d/draklog:1 /etc/pam.d/drakmouse:0 /etc/pam.d/draknetcenter:0 /etc/pam.d/draknetprofile:1 /etc/pam.d/drakproxy:1 /etc/pam.d/drakroam:1 /etc/pam.d/drakrpm-edit-media:1 /etc/pam.d/drakups:1 /etc/pam.d/drakvpn:1 /etc/pam.d/drakxservices:1 /etc/pam.d/gnome-system-log:3 grep: /etc/pam.d/gurpmi2: No such file or directory /etc/pam.d/hddtemp:0 grep: /etc/pam.d/hp-setup: No such file or directory /etc/pam.d/mageiaupdate:1 grep: /etc/pam.d/mgaapplet-config: No such file or directory grep: /etc/pam.d/mgaapplet-upgrade-helper: No such file or directory /etc/pam.d/rfkill:0 /etc/pam.d/rpmdrake:1 grep: /etc/pam.d/shutdown: No such file or directory /etc/pam.d/system-config-printer:0 grep: /etc/pam.d/unetbootin: No such file or directory /etc/pam.d/urpmi.update:0 /etc/pam.d/userdrake:1 /etc/pam.d/xfdrake:1 Most look OK to me (not sure about shutdown... it's not owned by any package and shouldn't be using consolehelper these days... might be left over on my machine will have to check one of my VMs) I guess we just need to move the --ignore/--not-ignore options to a different tool? @Thierry, wdyt?
Mageia 3 changed to end-of-life (EOL) status 4 months ago. http://blog.mageia.org/en/2014/11/26/lets-say-goodbye-to-mageia-3/ Mageia 3 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Mageia please feel free to click on "Version" change it against that version of Mageia and reopen this bug. Thank you for reporting this bug and we are sorry it could not be fixed. -- The Mageia Bugsquad
Status: NEW => RESOLVEDResolution: (none) => OLD