Here's the lines from journalctl -b 0 .... The "sudo" was from me doing: sudo su - ... just prior to the "snap install blender --classic"
--- start cut --- Nov 05 15:15:39 jms-u18t sudo[18049]: pam_unix(sudo:auth): authentication failure; logname= uid=1031 euid=0 tty=/dev/pts/0 ruser=jason rhost= user=jason Nov 05 15:15:39 jms-u18t sudo[18049]: jason : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/users/jason ; USER=root ; COMMAND=/bin/su - Nov 05 15:15:43 jms-u18t gnome-shell[16877]: polkitAuthenticationAgent: Received 3 identities that can be used for authentication. Only considering one. Nov 05 15:15:46 jms-u18t polkit-agent-helper-1[18065]: pam_unix(polkit-1:auth): authentication failure; logname= uid=1031 euid=0 tty= ruser=jason rhost= user=jason Nov 05 15:15:46 jms-u18t polkitd(authority=local)[881]: Operator of unix-session:116 successfully authenticated as unix-user:jason to gain TEMPORARY authorization for action io.snapcraft.snapd.manage for unix-process:18050:34595600 [snap install blender] (owned by unix-user:jason) Nov 05 15:15:46 jms-u18t snapd[860]: api.go:952: Installing snap "blender" revision unset Nov 05 15:16:02 jms-u18t gnome-shell[16877]: polkitAuthenticationAgent: Received 3 identities that can be used for authentication. Only considering one. Nov 05 15:16:05 jms-u18t polkit-agent-helper-1[18083]: pam_unix(polkit-1:auth): authentication failure; logname= uid=1031 euid=0 tty= ruser=jason rhost= user=jason Nov 05 15:16:05 jms-u18t polkitd(authority=local)[881]: Operator of unix-session:116 successfully authenticated as unix-user:jason to gain TEMPORARY authorization for action io.snapcraft.snapd.manage for unix-process:18068:34597431 [snap install blender --classic] (owned by unix-user:jason) Nov 05 15:16:05 jms-u18t snapd[860]: api.go:952: Installing snap "blender" revision unset Nov 05 15:16:11 jms-u18t systemd[1]: Reloading. Nov 05 15:16:11 jms-u18t systemd[1]: Mounting Mount unit for blender, revision 33... Nov 05 15:16:11 jms-u18t systemd[1]: Mounted Mount unit for blender, revision 33. Nov 05 15:16:14 jms-u18t audit[18150]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.blender" pid=18150 comm="apparmor_parser" Nov 05 15:16:14 jms-u18t audit[18151]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.blender.blender" pid=18151 comm="apparmor_parser" Nov 05 15:16:14 jms-u18t kernel: audit: type=1400 audit(1572988574.599:142): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.blender" pid=18150 comm="apparmor_parser" Nov 05 15:16:14 jms-u18t kernel: audit: type=1400 audit(1572988574.599:143): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.blender.blender" pid=18151 comm="apparmor_parser" Nov 05 15:16:15 jms-u18t gnome-shell[16877]: Some code accessed the property 'refreshPropertyOnProxy' on the module 'util'. That property was defined with 'let' or 'const' inside the module. This was previously supported, but is not correct according to the ES6 standard. Any symbols to be exported from a Nov 05 15:16:15 jms-u18t pkexec[18154]: pam_unix(polkit-1:session): session opened for user root by (uid=1031) Nov 05 15:16:15 jms-u18t pkexec[18154]: jason: Executing command [USER=root] [TTY=unknown] [CWD=/home/users/jason] [COMMAND=/usr/lib/update-notifier/package-system-locked] --- end cut --- So, we have here from polkitd: "successfully authenticated as unix- user:jason to gain TEMPORARY authorization for action io.snapcraft.snapd.manage" So... installing thorough snap, as long as you know the users password... lets you install something on the system? Without needing root privileges? Is this some apparmor policy thing? -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-software in Ubuntu. https://bugs.launchpad.net/bugs/1850977 Title: gnome-software installs software without user having sudo access Status in gnome-software package in Ubuntu: New Bug description: $ lsb_release -rd Description: Ubuntu 18.04.2 LTS Release: 18.04 $ apt-cache policy gnome-software gnome-software: Installed: 3.28.1-0ubuntu4.18.04.8 Candidate: 3.28.1-0ubuntu4.18.04.12 Version table: 3.28.1-0ubuntu4.18.04.12 500 500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages *** 3.28.1-0ubuntu4.18.04.8 100 100 /var/lib/dpkg/status 3.28.1-0ubuntu4 500 500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 What I expect to happen: Software is not installed for a user without sudo access. What does happen: I'm logging in with an LDAP user. This user does not have sudo access. When I select software from gnome-software ("Ubuntu Software"), it pops up and asks for my users password. I enter this in, and the software then installs (tested with blender, libreoffice, opencl driver). My user does *not* have sudo access on the system. $ sudo su - [sudo] password for jason: jason is not in the sudoers file. This incident will be reported. It appears these *may* be being installed with Snaps ... which still: How, without having root access, can an unprivileged user install something onto the system? ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: gnome-software 3.28.1-0ubuntu4.18.04.8 ProcVersionSignature: Ubuntu 5.0.0-32.34~18.04.2-generic 5.0.21 Uname: Linux 5.0.0-32-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.5 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Fri Nov 1 13:53:03 2019 InstallationDate: Installed on 2019-11-01 (0 days ago) InstallationMedia: Ubuntu 18.04.2 LTS "Bionic Beaver" - Release amd64 (20190210) InstalledPlugins: gnome-software-plugin-flatpak N/A gnome-software-plugin-limba N/A gnome-software-plugin-snap 3.28.1-0ubuntu4.18.04.8 ProcEnviron: PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: gnome-software UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-software/+bug/1850977/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
