Save configuration root password inconsistency during upgrade

[Pitfrr]

Hello,

I couldn't find similar threads so I started this one.
In TrueNAS 12.x when you want to download the configuration file, it asks for the root password, which is a good practice from a security perspective.

I just did an upgrade from 12.0-U1 to 12.0-U3.1.
Before upgrading, I saved the configuration and got asked for the root password as expected.
Then I started the upgrade process. I had forgotten that it asks to download the configuration as well...
So I did it again (just to be sure! ) and here to my surprise, no root password asked?

That was surprising and inconsistent with the behavior in System\General\Save config.
Now that the update is done, I can not reproduce it again of course...
But, is this a wanted behavior or a bug (a minor one I would say at least for my use case)?

Is there some kind of timer that if you provided the root password within the last few minutes it won't ask again?
At least not for the download of the configuration in the System\General tab.

Did anyone else experienced that?

 

[Pitfrr]

I confirmed the behavior with the update to 12.0-U4: no root password asked when upgrading.

 

[sretalla]

You're right. That's the way it's working since one of the updates after 12.0.

I agree it's a little crazy to provide an effective back-door into the config download (via the update process) if you're going to provide a locked front door in the general config.

In "normal conditions" (as you're currently observing), you can't initiate an update unless there's one waiting, so that back-door is closed/bricked-up a lot of the time if you update soon after updates become available.

The fact that in order to see that button means you're already root and can damage a lot of things without further confirmation also means there's a consistency gap.

Anyway, all that to say it either needs to be made consistent by removing the password prompt from the general page or adding it to the upgrade process.