Bug 1094120
Summary: | Packagekit polkit policy is desktop centric, prevents server usage | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Stef Walter <stefw> |
Component: | PackageKit | Assignee: | Richard Hughes <rhughes> |
Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 20 | CC: | jonathan, rdieter, rhughes, smparrish |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-05-08 09:33:33 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1094121 |
Description
Stef Walter
2014-05-05 06:22:49 UTC
Upstream patch posted. The policy as currently implemented was a result of FESCo policy, https://fedoraproject.org/wiki/Privilege_escalation_policy which includes: in short, admin auth is required for: * Add, remove, or downgrade any system-wide application or shared resource (packaged or otherwise), with the exception that for installing Fedora-signed packages from administrator-configured repositories, the requirement to ask for a password is waived for members of the wheel group who are local and active. * Shutdown or reboot the system (unless they are the only user logged in, and they are logged in locally) It seems to me that your proposal is asking to reverse (at least) these 2 items for non-local logins. Is that accurate? (or am I misunderstanding?) If so, I would recommend you reach out to FESCo to consider your use-case, to modify the Privilege_escalation_policy accordingly. Once that is done, then PackageKit can be modified to comply with the new policy. (In reply to Rex Dieter from comment #2) > The policy as currently implemented was a result of FESCo policy, > https://fedoraproject.org/wiki/Privilege_escalation_policy > which includes: > > in short, admin auth is required for: > > * Add, remove, or downgrade any system-wide application or shared resource > (packaged or otherwise), with the exception that for installing > Fedora-signed packages from administrator-configured repositories, the > requirement to ask for a password is waived for members of the wheel group > who are local and active. > > * Shutdown or reboot the system (unless they are the only user logged in, > and they are logged in locally) > > > It seems to me that your proposal is asking to reverse (at least) these 2 > items for non-local logins. Is that accurate? (or am I misunderstanding?) Could you point out which ones? I'm not at all waiving the requirement to ask for a password. By using 'admin_auth' I'm only allowing escalation when reauthorization is provided. Currently PackageKit flat out refuses to talk to users logged in via ssh (for the various actions that I've patched). After the changes it'll (via polkit) ask them to reauthorize before performing the task in question. I don't think this requires a change in FESCO policy. OK, thanks for the clarification. I would agree no change in FESCo policy is required to implement this. Fixed upstream. Thanks. |