Bugzilla – Bug 158483
Starting "yast firewall" as regular user has bad failure modes
Last modified: 2006-03-27 08:35:01 UTC
When one inadvertedly starts "yast firewall" as regular user instead of root, no message indicates that this is not appropriate. However, even though the firewall is running, the dialog then claims "Current Status: Firewall is not running" and has the "Start Firewall Now" button enabled. If one selects "Save Setting and Restart Firewall Now", there are two error messages: "Error: Cannot write settings to /etc/sysconfig/SuSEFirewall" followed by "Error: Writing settings failed". This, issuing two similar error messages one after the other, is a something we should fix as well.
Please attach the YaST logfiles (/var/log/YaST2). How is it possible that you are even able to call the firewall module?
Invoking the firewall module as as easy as running yast firewall from the shell. I'll attach the logs in a minute, but you can easily reproduce this with SL10.0, SL10.1 Beta8 on i386 and SLES10 Beta7 on ia64.
Created attachment 73808 [details] YaST log from a SLES10 Beta7 machine (ia64)
Gerald, please notice bug #159375, which was CLOSED->INVALID, this is about the same issue. However I will redirect this one to the yast2-firewall maintainer.
I guess anybody is able to reproduce this issue since the first YaST Firewall has been built ;) Running firewall as user is no security risk, all data is available on the system for everybody. Sorry, I'll have to close it as duplicate (thanks Michael), I've found the same behavior in dns-server, dhcp-server, users, ldap-client, autoyast... so I guess it really behaves all the same. If you still feel that 'running YaST module as normal user' should throw warning that this is read-only mode, please, define a behavior and create a feature request in FaTE for 10.2 and/or later. Thanks. *** This bug has been marked as a duplicate of 159375 ***
It's not only read-only mode, it's worse, so I am reopening this. For example, when you start the firewall module, it indicates that the firewall is not running (though it is), thus displaying incorrect information. I see two options: either refuse to start the firewall module when not running as root, or issue a warning are in read-only mode, that some of the information displayed may not be correct, and some of the actions the users chooses may fail. Personally, I guess I'd prefer the former.
Hmm, you're right that the module presents incorrect information. It comes from the simple fact - user doesn't have pesmissions to call the init script to check the service status. However, the issue "not enough permissions to check the service" applies also to "dns-server", "dhcp-server" and maybe others (where you can start/stop the service). And the issue of not enough permissions for to set up / check 'firewall' applies to all YaST modules that use the firewall (That small firewall checkbox, additionally with [Details] button). I guess this should be decided in general. So -> needinfo 'visnov' (sorry Stano).
Any such module can use Confirm::MustBeRoot() to present a popup to inform the user.
Let's change this bug -> Major It might be fixed tomorrow... oh, it already IS tomorrow :)!
These modules were fixed: * yast2-firewall * yast2-ntp-client * yast2-dhcp-server * yast2-ntp-server * yast2-runlevel mail on yast2-hacker to fix other modules will follow...
+ done: yast2-nis-client yast2-nis-server