Update Manager is not Asking for Authorisation Password
I think the update manager has been changed recently on Trisquel 5.5. I notice it no longer looks for password authentication before downloading and applying updates.
The update manager shows a .nl update server, but there's no authentication key (see screenshots attached). I think this might be a potential security risk. This has been the situation for a few weeks now. Bug reported.
P.S. I'm just reporting this in case its a error. If its a temporary situation the bug can always be closed, thanks.
Attaching Screenshots seems broken sorry. Links below:
I don't know if that is the case but perhaps the auth key list is only for 3rd party keys and the official keys are included for all mirrors? Maybe somebody else knows.
No, I'm pretty sure the auth key is a big deal. I am almost certain it is in previous Trisquel versions. I am traveling at the moment so I can't check.
Correct me if I am wrong but I believe the key works in a very similar (or exactly similar) way to GPG. The key signs each package so that if you download a packge if it was altered somehow (maybe by a malicious third-party) you would be notified. With no signing key loaded in the system you could be recieving malicious packages.
IMO this is actually pretty serious and someone might want to notify quidam either via IRC or via the devel mailing list (like I said I'm traveling and I don't have my email setup here)
Yes I think you're right SirGrant. As far as I know, in previous Trisquel versions, there was always a key in that box, it looked like a GPG key. Although maybe the Update Manager itself has changed, and the key is no longer displayed there.
Curiously, accesing software sources from synaptic --> configuration --> repositories, shows the auth key.
Also, you can list your keys with
$ sudo apt-key list
Yeah looks like the key is there alright, in folder /etc/apt/trusted.gpg
So maybe thats OK.
Although that still doesn't explain why the Update Manager isn't asking for a root password before downloading and installing the updates. Maybe that's just on my system?
I usually update via apt-get, but I think the update manager only ask for password when there is an 'important' system upgrade.
On 27/06/12 20:52, name at domain wrote:
> Yeah looks like the key is there alright, so maybe thats OK. Still
> doesn't explain why the Update Manager isn't asking for a root password
> before downloading and installing the updates. Maybe that's just on my
> system?
My impression (and it is only that) is that 5.5 asks you for your
password the first time but not subsequently. As I suspend rather than
shutdown it can be a long time between new sessions or reboots so I
can't say if it is definitely this.
As far as I understand, 'sudo' is called by 'gksu', itself called by the application requiring administrative privileges (and, yes, these privileges are definitely needed to install *any* program, i.e., to write in folders such as /usr that must be owned by root:root). The variable "timestamp_timeout" in /etc/sudoers (which must *always* be edited with 'visudo') is used to specify the "number of minutes that can elapse before sudo will ask for a passwd again" (excerpt from 'man sudoers'). In my (non-customized) Trisquel, this variable is not set in /etc/sudoers and the default value, 15 minutes, holds.