Software Updater proceeds without authentication
- Anmelden oder Registrieren um Kommentare zu schreiben
The last two times that Software Updater had anything to download/install, it did so without asking for authentication. That is news to me, as it has always asked for authentication before (i.e., as recently as last week). I had _not_ run sudo apt-get update in Terminal beforehand the second time, though I had done so the first time this happened.
In Terminal mode, sudo apt-get update _always_ asks for authentication.
My system is Trisquel 7 running on a Thinkpad T420. Plenty of RAM and disk space ... nothing else running at the same time, though I had downloaded emails first after a fresh start at breakfast in both instances.
Troubleshooting this new feature will not be easy, as I'll have to wait days before something new comes to Software Updater.
In the previous few days, I have been downloading a lot of data (about 20 GB in all) from a website using FileZilla, followed after each short burst with deletion of those files from the website ... in the process getting rid of password-protected client data that they no longer needed to access. Other than that, there has been no unusual activity on my part.
It depends on how APT is configured. Look at "Software sources" (in the "System settings"). The drop-down menu associated with "When there are security updates" can specify that such updates are automatically downloaded and installed, which translates to "no need for a password" (I believe).
A password is asked whenever you fire 'sudo'.
Magic Banana suggested:
> Look at "Software sources" (in the "System settings").
All I see in System Settings are: "Software & Updates," "Software Updater," "Synaptic Package Manager," and "User Accounts."
In "Software & Updates," the most logical place of these in which to look, I see the following settings:
> Auto check: Daily
> When: Display immediately
> Other: Display weekly
> Notify: For long-term support versions
> Authenticate: Trusted sources --> only one is listed
I see no place in which I can explicitly choose not to be challenged.
Where I live in SE Pennsylvania, there are many stop signs at intersections which have an informational sign below the standard red octagonal Stop sign which says, "Right turn keep moving." This is a convenience for the local drivers, but for inexperienced drivers (e.g., visitors from another state) it's a shock to have someone drive right in front of one without even looking to the left. Such may be the situation here in Software Updater: No Stop sign any more 'cuz it's not needed for the locals.
No one else uses this system ... does that mean that I can safely stop worrying about this change in behaviour ?
FileZilla doesn't save my P/W when I exit; nor does Trisquel 7 fail to challenge me on startup; and Grub only skips its challenge when I chose to start Win7 occasionally, but always asks for username & P/W when I go to the "Advanced" tab.
Software Updater did it again this morning; no authentication demanded.
Here are the circumstances:
Last thing I did before shutting down Trisquel yesterday was to finish
the filing of some 45,000 messages from an old mailbox into Icedove.
This morning I started Trisquel, downloaded about twenty email messages
from several sources, including some benign spams that I marked as such
and then deleted, and played a few games of freecell (my standard method of
"warming up" the computer). Then I opened Software Updater and clicked
"check for updates," whereupon it opened up with a list of software for
HP printers and proceeded to download and install some 38MB, all without
asking for authentication.
Nobody else uses this computer, and I had not used Terminal and sudo
apt-get update beforehand, so there was no leftover authentication for
Software Updater to sniff out.
There is no other flaky behavior going on that I know of, except that
Icedove's count of remaining messages in the imported oldmail file was
off by one after I moved the last visible email message.
Hi amenex,
From the main menu, click on System Settings, then Software & Updates.
In Software & Updates, click on When there are security updates:, and double check that Download automatically, or Download and install automatically, are not selected.
From what you stated above, you've probably already checked these items, but still worth checking. Make sure you click Close, and not Revert when done.
There is also a couple lines of code in the config file /etc/apt/apt.conf.d that may need to be commented out. I believe this config file allows automatic updates and rebooting of your system to be configured. I am not an expert in this area so I may be wrong.
I found this info while doing a search: Setting up Automatic Updates for Ubuntu (http://robpickering.com/2012/06/setting-up-automatic-updates-for-ubuntu-893).
My Trisquel 7 file system is setup the same way as this article talks about.
Hope this helps.
chet first suggested:
> In Software & Updates, click on When there are security
updates:, and double check that Download automatically, or Download and
install automatically, are not selected.<
Correct: no automatic security updates.
Regarding chet's second suggestion, referring to the robpickering.com
article, my 50unattended-upgades file has only one line not commented
out, regarding security upgrades, exactly like the example quoted in the
article.
As a further example, when I clicked on Software-Updater just now, an
update to ABrowser came through without any request for authentication after I clicked on "check for updates."
Do we have conflicting authorizations ? If I chose "no automatic
security updates" in Software & Updates, does that override or is it
contramanded by the 50unattended-upgrades file ?
The present situation, wherein I cannot predict when Software Updater
will or will not ask for authorization, seems unacceptable from a
security standpoint.
The package "unattended-upgrades", in Trisquel's default system, may be the reason why security updates need no authentication. It can be reconfigured through the Synaptic package manager or with the command 'sudo dpkg-reconfigure unattended-upgrades'. Editing /etc/apt/apt.conf.d/50unattended-upgrades allows a finer configuration (for instance to also get an automatic installation of regular updates).
Magic Banana suggested:
>> The package "unattended-upgrades", in Trisquel's default system, may be the reason why security updates need no authentication. It can be reconfigured through the Synaptic package manager or with the command 'sudo dpkg-reconfigure unattended-upgrades'.<<
The yes-or-no question as to whether or not to permit unattended upgrades is set to "no" on my Trisquel 7.
Only two lines in my 50unattended-upgrades file aren't commented out:
>> Unattended-Upgrade::Allowed-Origins {"${distro_id}:${distro_codename}-security";};
>> Unattended-Upgrade::Package-Blacklist {};
Note that all the packages suggested for inclusion in the blacklist are commented out in my 50unattended-upgrades file, so there actually aren't any blacklisted packages.
It's still doing it (on a "security" upgrade today) even though I commented out the following line(s):
// Automatically upgrade packages from these (origin:archive) pairs
// Unattended-Upgrade::Allowed-Origins {
// "${distro_id}:${distro_codename}-security";
// "${distro_id}:${distro_codename}-updates";
// "${distro_id}:${distro_codename}-proposed";
// "${distro_id}:${distro_codename}-backports";
};
Happens on another PC, also running Trisquel 7, in spite of the same commenting to 50unattended-upgrades.
Doesn't matter whether the PC has been restarted after the change or not.
Today it's clearer: Software Updater had _both_ Security upgrades _and_ "Other" upgrades, so today I was asked to authenticate. Looks as though security upgrades don't demand authentication no matter how I set the configuration.
Software Updater installed updates for Icecat and an english-language pack this morning without asking for authentication. No mention of security ...
Should I care ? Does anyone care ?
This constant updating without authentication is more than slightly disturbing.
Have you combed through *all* your Software Updater settings? Is there some
sort of 'hands-free maintenance' mode you've enabled by mistake?
I don't use Software Updater anyway, so I'm practically clueless as to the
problem- can't you just use the terminal? Just make updating manually a habit.
Question- is your account 'Administrator' by any chance? Check in the accounts
thingy in the control panel (I assume you're using the default DE).
> Should I care?
Well, nothing actively bad will probably come of it, but I would feel really
insecure (perhaps irrationally) of my machine doing things behind my back like
that.
Yes, I'm the administrator, but I'm also the only user. Been that way since the beginning, earlier this year ... but the no-authentication business only started recently, about the time of my first post on this topic. before that, I was always asked to authenticate. Terminal _always_ demand authentication.
Mine is an upside-down organzation: five installations and only one user. Just being paranoid about hardware availability.
Over my 56 year career since my undergraduate days my computer needs have been generally modest, but the workable systems keep getting yanked out of my grasp.
As an example, my company's 1st PC in 1985 was an IBM PC-XT running DOS, and my word-processing S/W was DisplayWrite 3. After a couple of years I happened upon a computer store that was demonstrating the new edition of DisplayWrite, but it was a completely different S/W with different menus and an unfamiliar "look & feel." Eventually we got a PC-AT and I had to commission a cooperative fellow in the UK to modify DisplayWrite 4 (thankfully working more-or-less just like DisplayWrite 3) to run on the PC-AT. Cost about 3X as much as just clenching my teeth and learning DisplayWrite 6 (the utterly new S/W) but it worked great. Then came Windows 3.11 which set me off by just up & calling the mother ship whenever it felt like it. And on & on while all I was doing 98% of the time was writing reports. I got tired of all that and started to try to use linux around Y2K. Installation was a nightmare of conflicting instructions but it was stable. Installing new versions of linux was worse and usually cost the company more than a new PC just to keep on writing reports. Now we have the polar opposites of Windows and GNU/Linux (particularly Trisquel !) ... Windows with its automatic updates which stop me dead in my tracks at all the worst times, especially McAfee, which eradicated my T-bird Inbox once (which I was able to restore from my linux version of T-bird running on another PC). Now you may be able to see why I'm worried about Software Updater, even though the automaticity does _not_ extend to doing so whenever it feels like it, because it still has to wait for me to initiate the update process.
By way of "proof", today Software Updater stated that it needed to download & install 62+/-MB of security updates and then proceeded _with_ a demand for authentication. Yes... I had to enter my P/W to get these security updates.
The only clue is that I have been rearranging emails in Icedove for quite some time in the periods prior to getting the iffy demands or not demands for authentication.
Running Trisquel 7 on a Lenovo T420 with 4GB of RAm and plenty of HDD space.
- Anmelden oder Registrieren um Kommentare zu schreiben