Update Manager is not Asking for Authorisation Password

9 replies [Last post]
BinaryDigit
Offline
Joined: 11/30/2010

I think the update manager has been changed recently on Trisquel 5.5. I notice it no longer looks for password authentication before downloading and applying updates.

The update manager shows a .nl update server, but there's no authentication key (see screenshots attached). I think this might be a potential security risk. This has been the situation for a few weeks now. Bug reported.

P.S. I'm just reporting this in case its a error. If its a temporary situation the bug can always be closed, thanks.

BinaryDigit
Offline
Joined: 11/30/2010
lembas
Offline
Joined: 05/13/2010

I don't know if that is the case but perhaps the auth key list is only for 3rd party keys and the official keys are included for all mirrors? Maybe somebody else knows.

SirGrant

I am a member!

I am a translator!

Offline
Joined: 07/27/2010

No, I'm pretty sure the auth key is a big deal. I am almost certain it is in previous Trisquel versions. I am traveling at the moment so I can't check.

Correct me if I am wrong but I believe the key works in a very similar (or exactly similar) way to GPG. The key signs each package so that if you download a packge if it was altered somehow (maybe by a malicious third-party) you would be notified. With no signing key loaded in the system you could be recieving malicious packages.

IMO this is actually pretty serious and someone might want to notify quidam either via IRC or via the devel mailing list (like I said I'm traveling and I don't have my email setup here)

BinaryDigit
Offline
Joined: 11/30/2010

Yes I think you're right SirGrant. As far as I know, in previous Trisquel versions, there was always a key in that box, it looked like a GPG key. Although maybe the Update Manager itself has changed, and the key is no longer displayed there.

jbar
Offline
Joined: 01/22/2011

Curiously, accesing software sources from synaptic --> configuration --> repositories, shows the auth key.

Also, you can list your keys with
$ sudo apt-key list

BinaryDigit
Offline
Joined: 11/30/2010

Yeah looks like the key is there alright, in folder /etc/apt/trusted.gpg
So maybe thats OK.

Although that still doesn't explain why the Update Manager isn't asking for a root password before downloading and installing the updates. Maybe that's just on my system?

jbar
Offline
Joined: 01/22/2011

I usually update via apt-get, but I think the update manager only ask for password when there is an 'important' system upgrade.

leny2010

I am a member!

I am a translator!

Offline
Joined: 09/15/2011

On 27/06/12 20:52, name at domain wrote:
> Yeah looks like the key is there alright, so maybe thats OK. Still
> doesn't explain why the Update Manager isn't asking for a root password
> before downloading and installing the updates. Maybe that's just on my
> system?

My impression (and it is only that) is that 5.5 asks you for your
password the first time but not subsequently. As I suspend rather than
shutdown it can be a long time between new sessions or reboots so I
can't say if it is definitely this.

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

As far as I understand, 'sudo' is called by 'gksu', itself called by the application requiring administrative privileges (and, yes, these privileges are definitely needed to install *any* program, i.e., to write in folders such as /usr that must be owned by root:root). The variable "timestamp_timeout" in /etc/sudoers (which must *always* be edited with 'visudo') is used to specify the "number of minutes that can elapse before sudo will ask for a passwd again" (excerpt from 'man sudoers'). In my (non-customized) Trisquel, this variable is not set in /etc/sudoers and the default value, 15 minutes, holds.