[Bug 1850977] Re: Snap installs software without user having sudo access
Unfortunately it isn't that easy in my case. I need to have every action attempted logged. That will still give it to me, but modifying what's happening by changing what's being requested. So, if a normal user attempts something, the best case is for it to ask for the users password and fail when they don't have permission to do the action, or the password entered is wrong. Second best, is to fall back to asking for the root password. I can deal with the logging inaccuracy. But not always ask for the root password in every case which is what that override will do. I'm going to be needing to implement some custom polkit/apparmour stuff eventually anyway (now that I've seen this), but this came about as I am not a Debian/Ubuntu person. So I hit something that _shouldn't_ have been happening in my mind (hey, no sudoers access, no way to run as root) ... It threw me that it was happening. But thanks to everyone for digging into this with me. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-software in Ubuntu. https://bugs.launchpad.net/bugs/1850977 Title: Snap installs software without user having sudo access To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-software/+bug/1850977/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1850977] Re: Snap installs software without user having sudo access
As an addition... If I remove the 51-ubuntu-admin.conf file, when I run `snap install blender --classic`, it pops up a dialog box asking for the "Administrator" password. Entering roots password will install it. This is the behaviour wanted. Not install it with only the users authentication. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-software in Ubuntu. https://bugs.launchpad.net/bugs/1850977 Title: Snap installs software without user having sudo access To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-software/+bug/1850977/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1850977] Re: Snap installs software without user having sudo access
That's what I want though. I want control through sudoers, not polkit. The file: /etc/polkit-1/localauthority.conf.d/50-localauthority.conf ... still contains: ``` [Configuration] AdminIdentities=unix-user:0 ``` I don't know why you need to say root is an admin, but whatever it's there... And that *should* be the only admin. No other user should have administrative privileges on their own, without using sudo or becoming root. Full stop. This isn't for a single desktop home system, but a corporate controlled system. A user that can install software just because they want to isn't going to fly (or pass Government regulations we need to). And not all admins are created equal. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-software in Ubuntu. https://bugs.launchpad.net/bugs/1850977 Title: Snap installs software without user having sudo access To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-software/+bug/1850977/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1850977] Re: Snap installs software without user having sudo access
Thank You!!! Can you set it like: ``` [Configuration] AdminIdentities= ``` So *nothing* is considered an Admin? That file has `unix-group:sudo;unix-group:admin` ... by default from what I can tell. But at least that I know this thing exists and hey, you can elevate privileges without being in sudoers (Ugh... another thing to restrict for regulations). Does that deal only with the *name* of the group, or what it sees as the GID? I mean, I can make another user named `bob` with a UID of 0 ... so I'm still effectively root even if I'm logged in as bob. Does this work that way with GID's? Or is it looking explicitly at the name only even if the name is irrelevant is actual system usage? Meaning, I can have groups named: Admin, AdminA, AdminB, AdminC with different members but the same GID. In this way anything on the filesystem owned by the `Admin` group, can be accessed by any of the Admin groups since it's the GID that matters. Does PolicyKit take GIDs into account, or just the name? -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-software in Ubuntu. https://bugs.launchpad.net/bugs/1850977 Title: Snap installs software without user having sudo access To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-software/+bug/1850977/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1850977] Re: Snap installs software without user having sudo access
The above still stands... but that isn't it for `snap` ... I changed all
the `isIngroup("sudo")` to use `sudoA` since that's the actually group
that's in sudoers...
And snap is still letting me install the blender snap in `--classic`
mode. So How do you find out what polkit rules are running at any
given time?
The `io.snapcraft.snapd.manage' action has:
```
auth_admin
```
But where is what `auth_admin` does defined? It *looks* like it's seeing
it as a local login and just allowing it. If I log in through SSH and
try the same command I get:
$ snap install blender --classic
error: access denied (try with sudo)
Being a locally logged in user does not mean you should have the ability to
install software. Again, that's an incorrect assumption being made :/
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to gnome-software in Ubuntu.
https://bugs.launchpad.net/bugs/1850977
Title:
Snap installs software without user having sudo access
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnome-software/+bug/1850977/+subscriptions
--
desktop-bugs mailing list
desktop-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1850977] Re: Snap installs software without user having sudo access
Seems to be more appropriate to assign this to snapd than gnome- software. ** Summary changed: - gnome-software installs software without user having sudo access + Snap installs software without user having sudo access ** Tags added: snap ** Package changed: gnome-software (Ubuntu) => snapd (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-software in Ubuntu. https://bugs.launchpad.net/bugs/1850977 Title: Snap installs software without user having sudo access To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1850977/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1850977] Re: gnome-software installs software without user having sudo access
Attached is a screenshot of the VM window where the terminal install was done. ** Attachment added: "Installation using snap on account without sudo access" https://bugs.launchpad.net/ubuntu/+source/gnome-software/+bug/1850977/+attachment/5303117/+files/Screenshot_2019-11-05_15-28-49.png -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-software in Ubuntu. https://bugs.launchpad.net/bugs/1850977 Title: gnome-software installs software without user having sudo access To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-software/+bug/1850977/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1850977] Re: gnome-software installs software without user having sudo access
Here's the lines from journalctl -b 0 The "sudo" was from me doing: sudo su - ... just prior to the "snap install blender --classic" --- start cut --- Nov 05 15:15:39 jms-u18t sudo[18049]: pam_unix(sudo:auth): authentication failure; logname= uid=1031 euid=0 tty=/dev/pts/0 ruser=jason rhost= user=jason Nov 05 15:15:39 jms-u18t sudo[18049]:jason : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/users/jason ; USER=root ; COMMAND=/bin/su - Nov 05 15:15:43 jms-u18t gnome-shell[16877]: polkitAuthenticationAgent: Received 3 identities that can be used for authentication. Only considering one. Nov 05 15:15:46 jms-u18t polkit-agent-helper-1[18065]: pam_unix(polkit-1:auth): authentication failure; logname= uid=1031 euid=0 tty= ruser=jason rhost= user=jason Nov 05 15:15:46 jms-u18t polkitd(authority=local)[881]: Operator of unix-session:116 successfully authenticated as unix-user:jason to gain TEMPORARY authorization for action io.snapcraft.snapd.manage for unix-process:18050:34595600 [snap install blender] (owned by unix-user:jason) Nov 05 15:15:46 jms-u18t snapd[860]: api.go:952: Installing snap "blender" revision unset Nov 05 15:16:02 jms-u18t gnome-shell[16877]: polkitAuthenticationAgent: Received 3 identities that can be used for authentication. Only considering one. Nov 05 15:16:05 jms-u18t polkit-agent-helper-1[18083]: pam_unix(polkit-1:auth): authentication failure; logname= uid=1031 euid=0 tty= ruser=jason rhost= user=jason Nov 05 15:16:05 jms-u18t polkitd(authority=local)[881]: Operator of unix-session:116 successfully authenticated as unix-user:jason to gain TEMPORARY authorization for action io.snapcraft.snapd.manage for unix-process:18068:34597431 [snap install blender --classic] (owned by unix-user:jason) Nov 05 15:16:05 jms-u18t snapd[860]: api.go:952: Installing snap "blender" revision unset Nov 05 15:16:11 jms-u18t systemd[1]: Reloading. Nov 05 15:16:11 jms-u18t systemd[1]: Mounting Mount unit for blender, revision 33... Nov 05 15:16:11 jms-u18t systemd[1]: Mounted Mount unit for blender, revision 33. Nov 05 15:16:14 jms-u18t audit[18150]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.blender" pid=18150 comm="apparmor_parser" Nov 05 15:16:14 jms-u18t audit[18151]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.blender.blender" pid=18151 comm="apparmor_parser" Nov 05 15:16:14 jms-u18t kernel: audit: type=1400 audit(1572988574.599:142): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.blender" pid=18150 comm="apparmor_parser" Nov 05 15:16:14 jms-u18t kernel: audit: type=1400 audit(1572988574.599:143): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.blender.blender" pid=18151 comm="apparmor_parser" Nov 05 15:16:15 jms-u18t gnome-shell[16877]: Some code accessed the property 'refreshPropertyOnProxy' on the module 'util'. That property was defined with 'let' or 'const' inside the module. This was previously supported, but is not correct according to the ES6 standard. Any symbols to be exported from a Nov 05 15:16:15 jms-u18t pkexec[18154]: pam_unix(polkit-1:session): session opened for user root by (uid=1031) Nov 05 15:16:15 jms-u18t pkexec[18154]: jason: Executing command [USER=root] [TTY=unknown] [CWD=/home/users/jason] [COMMAND=/usr/lib/update-notifier/package-system-locked] --- end cut --- So, we have here from polkitd: "successfully authenticated as unix- user:jason to gain TEMPORARY authorization for action io.snapcraft.snapd.manage" So... installing thorough snap, as long as you know the users password... lets you install something on the system? Without needing root privileges? Is this some apparmor policy thing? -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-software in Ubuntu. https://bugs.launchpad.net/bugs/1850977 Title: gnome-software installs software without user having sudo access To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-software/+bug/1850977/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1850977] Re: gnome-software installs software without user having sudo access
A dialog box appears. It just shows the Full Name field, and the name shown is "Jason Stover" (login: jason) for the LDAP account. The Local Admin account name is "Jason Local" (login: jlocal). The passwords between the two accounts is also different incase it was showing the name of the logged in user, but asking for the password of the local account, the passwords wouldn't have matched up. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-software in Ubuntu. https://bugs.launchpad.net/bugs/1850977 Title: gnome-software installs software without user having sudo access To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-software/+bug/1850977/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1850977] [NEW] gnome-software installs software without user having sudo access
Public bug reported:
$ lsb_release -rd
Description:Ubuntu 18.04.2 LTS
Release:18.04
$ apt-cache policy gnome-software
gnome-software:
Installed: 3.28.1-0ubuntu4.18.04.8
Candidate: 3.28.1-0ubuntu4.18.04.12
Version table:
3.28.1-0ubuntu4.18.04.12 500
500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64
Packages
*** 3.28.1-0ubuntu4.18.04.8 100
100 /var/lib/dpkg/status
3.28.1-0ubuntu4 500
500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64
What I expect to happen:
Software is not installed for a user without sudo access.
What does happen:
I'm logging in with an LDAP user. This user does not have sudo access.
When I select software from gnome-software ("Ubuntu Software"), it pops
up and asks for my users password. I enter this in, and the software
then installs (tested with blender, libreoffice, opencl driver).
My user does *not* have sudo access on the system.
$ sudo su -
[sudo] password for jason:
jason is not in the sudoers file. This incident will be reported.
It appears these *may* be being installed with Snaps ... which still:
How, without having root access, can an unprivileged user install
something onto the system?
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: gnome-software 3.28.1-0ubuntu4.18.04.8
ProcVersionSignature: Ubuntu 5.0.0-32.34~18.04.2-generic 5.0.21
Uname: Linux 5.0.0-32-generic x86_64
ApportVersion: 2.20.9-0ubuntu7.5
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Fri Nov 1 13:53:03 2019
InstallationDate: Installed on 2019-11-01 (0 days ago)
InstallationMedia: Ubuntu 18.04.2 LTS "Bionic Beaver" - Release amd64 (20190210)
InstalledPlugins:
gnome-software-plugin-flatpak N/A
gnome-software-plugin-limba N/A
gnome-software-plugin-snap3.28.1-0ubuntu4.18.04.8
ProcEnviron:
PATH=(custom, no user)
XDG_RUNTIME_DIR=
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: gnome-software
UpgradeStatus: No upgrade log present (probably fresh install)
** Affects: gnome-software (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug bionic
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to gnome-software in Ubuntu.
https://bugs.launchpad.net/bugs/1850977
Title:
gnome-software installs software without user having sudo access
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnome-software/+bug/1850977/+subscriptions
--
desktop-bugs mailing list
desktop-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
