swupd-client icon indicating copy to clipboard operation
swupd-client copied to clipboard

Published 20 hours ago verified publisher icon clearlinux

search does not require sudo but search-file do with swupd

Open lsandov1 opened this issue 5 years ago • 8 comments

I find a bit strange that similar swupd subcommands, search and search-file, the former does not require sudo (meaning root permission) but the latter do. Is this intentional?

$ swupd search libvpx.so
Search failed, no reasonable results found
$ swupd search-file libvpx.so
Error: This program must be run as root..aborting

lsandov1 avatar Jan 29 '20 15:01 lsandov1

we try really hard to make search not require privileges. as a result it's more a keyword search and not a file search and also not a grep. (e.g. more google and less altavista)

search-file is specifically for folks who want to know exact file names, but that needs access to metadata that is considered privileged (the security world is increasingly considering "what versions and software is installed" as security sensitive. not all distros lock this down but I'd not be surprised if in the next year or two most will follow)

On Wed, Jan 29, 2020 at 7:32 AM Leonardo Sandoval [email protected] wrote:

I find a bit strange that similar swupd subcommands, search and search-file, the former does not require sudo (meaning root permission) but the latter do. Is this intentional?

$ swupd search libvpx.so Search failed, no reasonable results found $ swupd search-file libvpx.so Error: This program must be run as root..aborting

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/clearlinux/distribution/issues/1682?email_source=notifications&email_token=AAJ54FKANLUUMN7GBEUZSBLRAGOQFA5CNFSM4KNGVLI2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4IJSHGBQ, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAJ54FNZLZWVQ7LPZZBW4BTRAGOQFANCNFSM4KNGVLIQ .

fenrus75 avatar Jan 29 '20 15:01 fenrus75

sudo usage for "search-file" could be somewhat mitigated (same as "search") by adding an entry to swupd polkit rules. These rules allow some swupd commands to run without sudo providing the user is in the "wheel" group.

jurobystricky avatar Jan 29 '20 16:01 jurobystricky

polkit is just as sudo as sudo is.. and polkit has it's own long list of issues (to start with it includes a whole javascript engine)

On Wed, Jan 29, 2020 at 8:22 AM jurobystricky [email protected] wrote:

sudo usage for "search-file" could be somewhat mitigated (same as "search") by adding an entry to swupd polkit rules. These rules allow some swupd commands to run without sudo providing the user is in the "wheel" group.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/clearlinux/distribution/issues/1682?email_source=notifications&email_token=AAJ54FLH6LGHAJUJ7AHQRHDRAGUM5A5CNFSM4KNGVLI2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEKH2CDY#issuecomment-579838223, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAJ54FKQTUKSUVEQBVOBMUDRAGUM5ANCNFSM4KNGVLIQ .

fenrus75 avatar Jan 29 '20 17:01 fenrus75

My point was to address the original question regarding the inconsistencies in swupd searches. I believe the root cause is "swupd search" is in polkit rules, "swupd search-file" is not. So one does not require sudo (for "wheelrs") the other one does.

jurobystricky avatar Jan 29 '20 17:01 jurobystricky

swupd search does not need root privileges to run (no matter how you got there)

by default we do not ship polkit on so I'm confused with the focus on polkit

On Wed, Jan 29, 2020 at 9:09 AM jurobystricky [email protected] wrote:

My point was to address the original question regarding the inconsistencies in swupd searches. I believe the root cause is "swupd search" is in polkit rules, "swupd search-file" is not. So one does not require sudo (for "wheelrs") the other one does.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/clearlinux/distribution/issues/1682?email_source=notifications&email_token=AAJ54FMKID5UU7KOKKRANYTRAGZ47A5CNFSM4KNGVLI2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEKH7R7A#issuecomment-579860732, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAJ54FJM5FM6UJVS4HP2KTDRAGZ47ANCNFSM4KNGVLIQ .

fenrus75 avatar Jan 29 '20 17:01 fenrus75

Ah, I see. Sorry for the confusion. However somebody brings in the polkit and the rules for swupd. On my desktop I can locate the file "org.clearlinux.swupd.policy" and "org.clearlinux.swupd.rules". In particular, I was referring to the rules as I see them on my desktop:

polkit.addRule(function(action, subject) {
    if (action.id == "org.clearlinux.swupd.bundle-add" ||
        action.id == "org.clearlinux.swupd.bundle-remove" ||
        action.id == "org.clearlinux.swupd.update" ||
        action.id == "org.clearlinux.swupd.search") {
            if (subject.isInGroup("wheel")) {
                return polkit.Result.YES;
            } else {
                return polkit.Result.AUTH_ADMIN;
            }
    }
});

jurobystricky avatar Jan 29 '20 17:01 jurobystricky

Transferring to the swupd-client repo

phmccarty avatar Jan 29 '20 21:01 phmccarty

swupd search does not require sudo, however it gets different results than an execution with sudo.

If keeping the execution working without sudo is a must, it should at least tell users about that difference, maybe give a hint to "try again with sudo if results are not reasonable".

e.g.: https://github.com/clearlinux/distribution/issues/1963

anselmolsm avatar May 12 '20 16:05 anselmolsm