Bug 1153005
| Summary: | fedora 21 lets me install packages without root | |||
|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | James Patterson <jamespatterson> | |
| Component: | distribution | Assignee: | Václav Pavlín <vpavlin> | |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
| Severity: | urgent | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 21 | CC: | Anasastu, asl97, dennis, jamespatterson, notting, rhughes, rjones, tim.lauridsen | |
| Target Milestone: | --- | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1177935 (view as bug list) | Environment: | ||
| Last Closed: | 2014-10-20 15:01:17 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
|
Description
James Patterson
2014-10-15 11:17:58 UTC
James, does this happen if you start up Fedora and immediately try the commands? (Just checking, since Yum remembers if you've entered the root password during the current Terminal session, and won't ask until the session is closed.) Are there other packages that can seemingly trick the installer? If so, could you create a user with no Admin privileges and see whether that account is capable? Lastly, is there anything notable in your recent update/install history (besides nmap)? Thanks. It happens if I open a new gnome-terminal and run any command that does not exist yet. Try it with anything: nethogs, for example. non-wheel: haven't tried yet (this still needs to be fixed for wheel though) recent packages: tons! it's an alpha release, there are tons of updates! As non-wheel I am prompted for authentication. As wheel I am not prompted for authentication, even on a fresh boot (!) How can I propose this as a Blocker? This is a PackageKit thing http://fedoraproject.org/wiki/Features/PackageKitCommandNotFound I think this is supposed to work this way, if you are a administrator (= member of wheel group) you dont get asked for password But then we should be consistent with sudo and not require a password there either. (In reply to James Patterson from comment #6) > But then we should be consistent with sudo and not require a password there > either. There is a difference from installing packages without password if you are in the wheel group and sudo without password there can perform all root related actions Added Richard to CC, He can tell if that is supposed to work this way as I expect. Whereas yum install XYZ requires authentication... This is by design. If you're in the wheel group, you can do much more malicious things than install signed packages from signed repos. "sudo" provides unrestricted access to any action, and yum is a low-level packaging tool that allows you to do much more than just install packages. Then it's a poor design: it's inconsistent. I will open a new bug for the inconsistency. Bug 1177935 opened. |