LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-22-2019, 12:40 PM   #1
Mario Blunk
Member
 
Registered: Dec 2008
Location: Wild Eastern Germany
Distribution: OpenSuse Tumbleweed
Posts: 131

Rep: Reputation: 21
blocking users from launching the package updater


I have an OpenSuse Tumbleweed system running but the question maybe affects other distros too: Is there a way to allow launching the package updater for certain users only ? I have lots of users who log in as guests with limited rights, but they all seem to be able to do the package updating.
 
Old 01-23-2019, 03:38 AM   #2
JZL240I-U
Senior Member
 
Registered: Apr 2003
Location: Germany
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,629

Rep: Reputation: Disabled
What rights, user and groups does your zypper have then?
 
Old 01-23-2019, 05:16 AM   #3
padeen
Member
 
Registered: Sep 2009
Location: Perth, W.A.
Distribution: Slackware, Debian, Gentoo, FreeBSD, OpenBSD
Posts: 208

Rep: Reputation: 41
Remove the executable right
Quote:
chmod o-x <name>
for the 'other' category on the binary(ies). You could change the group to something useful that Suse uses to indicate administration rights other than root if that is convenient.
 
Old 01-23-2019, 07:55 AM   #4
agillator
Member
 
Registered: Aug 2016
Distribution: Mint 19.1
Posts: 419

Rep: Reputation: Disabled
One caution about padeen's suggestion: check the current ownership and permissions of your package updater. It probably does not have root permissions but requires the user to have adequate permissions. Giving just any user permission to update the entire system would certainly be dangerous. So the idea of using a different existing group that has the permissions necessary and that new users are not automatically a member of or creating such a group is probably the way to go. Be sure users you do not want updating are not given sudo access. And, as padeen said, be sure the program(s) have group execution permission but not other execution (or read/write) permissions.
 
Old 01-23-2019, 10:20 AM   #5
Mario Blunk
Member
 
Registered: Dec 2008
Location: Wild Eastern Germany
Distribution: OpenSuse Tumbleweed
Posts: 131

Original Poster
Rep: Reputation: 21
Maybe I got things not right yet. Running
Quote:
zypper update
requires root privileges. Ok so far. The package updater does the same but does not require root privileges. Anyone can start it. How come ?
 
Old 01-23-2019, 10:27 AM   #6
Mario Blunk
Member
 
Registered: Dec 2008
Location: Wild Eastern Germany
Distribution: OpenSuse Tumbleweed
Posts: 131

Original Poster
Rep: Reputation: 21
Quote:
Originally Posted by JZL240I-U View Post
What rights, user and groups does your zypper have then?
All the guest are in a single group named "training". Thats all. They are not in users. So far I only told them not to launch the updater. However they get the "updates available" notification and can launch the updater to the point where the new packages are listed. I did not test whether they can go beyond that point and do the actual updating.
 
Old 01-23-2019, 12:20 PM   #7
JZL240I-U
Senior Member
 
Registered: Apr 2003
Location: Germany
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,629

Rep: Reputation: Disabled
Several misunderstandings here on both sides .

When you issue in a console the command "ls -la /usr/bin/zypper" you get an output like this:
"-rwxr-xr-x 1 root root 2903712 15. Jan 21:07 /usr/bin/zypper". You can see that owner and group is "root". That is what I meant.

But.

Your problem child is not zypper at all. It is a program I kick from my box first thing. I deem it nervy and I schedule my updating myself. And I forgot its name. Sorry. You'll have to look there for permissions, owners, groups etc.

Perhaps somebody else could help out here?

Last edited by JZL240I-U; 01-23-2019 at 12:23 PM.
 
Old 01-30-2019, 08:30 AM   #8
cesarbergara
Member
 
Registered: Feb 2012
Location: Buenos Aires, Argentina
Distribution: Debian, Suse, Mandrake,
Posts: 92

Rep: Reputation: Disabled
Hi. Oldest linux had a /opt directory. And you can install new software under it. Only need to change options install of the package (rpm, deb, etc) to this directory, and put a chmod 775 or 777 to it. Then all the users can install packages under this 'auxiliar' directory and not change /usr files.
Have a nice day.
 
Old 01-30-2019, 09:37 AM   #9
kilgoretrout
Senior Member
 
Registered: Oct 2003
Posts: 2,983

Rep: Reputation: 388Reputation: 388Reputation: 388Reputation: 388
Quote:
Your problem child is not zypper at all. It is a program I kick from my box first thing. I deem it nervy and I schedule my updating myself. And I forgot its name. Sorry. You'll have to look there for permissions, owners, groups etc.
I agree with this but you're not looking at traditional owner, group permissions here. The problem your dealing with here is the auto-updater with launches in the panel at startup. I believe the execute permissions on that application are set using linux acls( access control lists), not with your standard owner/group permissions. I noticed this when I restored an opensuse installation from a tar backup where the backup was made using tar without the --acls option so acl permissions were not preserved. The restored installation from that backup did not launch that infernal auto-updater.

Last edited by kilgoretrout; 01-30-2019 at 09:42 AM.
 
1 members found this post helpful.
Old 01-30-2019, 12:03 PM   #10
JZL240I-U
Senior Member
 
Registered: Apr 2003
Location: Germany
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,629

Rep: Reputation: Disabled
Quote:
Originally Posted by kilgoretrout View Post
... I believe the execute permissions on that application are set using linux acls( access control lists), not with your standard owner/group permissions. ...
Ooops, now that is something entirely new to me . Good, something to learn.

Now, how should one proceed utilizing the acls to achive the OP's goal?
 
Old 01-31-2019, 07:35 AM   #11
kilgoretrout
Senior Member
 
Registered: Oct 2003
Posts: 2,983

Rep: Reputation: 388Reputation: 388Reputation: 388Reputation: 388
Here's a good primer on linux ACLs from the Arch wiki:

https://wiki.archlinux.org/index.php..._Control_Lists

The problem is you have to find the application responsible for the auto-updater before you can set the acl permissions on it per the instructions in the above article. Once you find that file, you check the acl permissions with:
Code:
# getfacl <file>
You can then remove execute permissions for a given user on that file with:
Code:
# setfacl -m "u:<username>:r--" <file>
Unfortunately, where that executable file resides is anything but clear in the opensuse documentation. I've never been able to find it myself but I haven't looked all that hard. I don't think it's zypper since I can't update from the command line using zypper except as root so there must be some intermediary app running with root privileges that calls zypper and that's probably the one that has acl permissions set to let ordinary users run it. It's very confusing as it may depend on which DE you are using as both KDE and Gnome have their own auto-updater apps. For KDE, that app will appear in the panel system tray when active. If you right click on the system tray and select "System Tray Settings", under "General" you can untick "Software Updates" and that should stop the KDE updater from launching. However, the user can set it back if they know what they're doing. You can probably do something similar in Gnome, but I'm not familiar with that DE. That may be adequate for your purposes.

Last edited by kilgoretrout; 01-31-2019 at 07:42 AM.
 
1 members found this post helpful.
Old 01-31-2019, 09:06 AM   #12
JZL240I-U
Senior Member
 
Registered: Apr 2003
Location: Germany
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,629

Rep: Reputation: Disabled
It might be discover:

https://software.opensuse.org/package/discover

I'm not in front of my machine right now, will have a look later.
 
Old 02-01-2019, 11:31 AM   #13
JZL240I-U
Senior Member
 
Registered: Apr 2003
Location: Germany
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,629

Rep: Reputation: Disabled
Hmm. I thought I had kicked it out. It is back but doesn't disturb me the same way as you get irritated:
Code:
me@PC:~> ll /usr/bin/plasma-discover
-rwxr-xr-x 1 root root 1065968 21. Jan 16:29 /usr/bin/plasma-discover
me@PC:~>
What now?
 
Old 02-03-2019, 10:40 AM   #14
JZL240I-U
Senior Member
 
Registered: Apr 2003
Location: Germany
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,629

Rep: Reputation: Disabled
Oh, I forgot:
Code:
me@PC:~> getfacl /usr/bin/plasma-discover
getfacl: Entferne führende '/' von absoluten Pfadnamen
# file: usr/bin/plasma-discover
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

me@PC:~>@PC:~>
No acl-parameters if I understand this correctly.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] No package 'x11' found No package 'xext' found No package 'xdamage' found No package 'xfixes' found No package 'x11-xcb' found Jigsaw Linux From Scratch 14 02-23-2021 08:35 PM
Fedora Core 6 Package Updater Running on Startup jviezel Linux - Newbie 1 11-12-2006 05:35 PM
Package updater hangs like it on dial up maprx Fedora 0 06-15-2006 05:05 AM
package updater not finding gcc which is installed strimp099 Linux - Software 2 04-19-2006 07:41 PM
MMC dissappeared after using Package Updater messymutty Mandriva 1 06-06-2004 09:11 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:05 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration