Bug 1225788

Summary: /usr/libexec/pk-command-not-found can install packages without asking for root/sudo permissions
Product: [Fedora] Fedora Reporter: Sascha Zantis <sascha.zantis>
Component: PackageKitAssignee: Richard Hughes <rhughes>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 22CC: jonathan, kalevlember, projects.rg, rdieter, rhughes, smparrish
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-05-28 09:40:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sascha Zantis 2015-05-28 09:06:39 UTC 
Description of problem:
I installed a command-not-found plugin in my zsh which is a wrapper to /usr/libexec/pk-command-not-found. It is able to install packages without asking for the sudo password. There is no sudo cache stuff happening, I tried that immediately after boot. I pasted the output here: http://fpaste.org/226426/32803337/


Version-Release number of selected component (if applicable):
Fedora 22, PackageKit-command-not-found-1.0.6-4.fc22.x86_64

How reproducible:
Always

Steps to Reproduce:
1. call /usr/libexec/pk-command-not-found with a package name

Actual results:
The package is installed and started without asking for sudo authentication.

Expected results:
I am asked for a sudo password.

Additional info:
I heard that something like this (letting users install packages without sudo) was discussed a year or two ago, but I did not expect that to be "normal" now.

I also created a screenshot that shows 2 terminals. In the left terminal, inkscape is removed with sudo dnf remove, in the right terminal (which is a new session) inkscape is installed via the zsh plugin that calls /usr/libexec/pk-command-not-found. To show that there is no sudo caching happening, I started sudo -i after that which would not need a password if anything was cached but does ask for a password (as expected).  https://i.imgur.com/VwAKhsR.png
Comment 1 Raphael Groner 2015-05-28 09:12:40 UTC 
This sounds like a security issue. Please make this report protected (not public to everyone), thanks.

Feature since Fedora 12 as of 2009-08-07 .
https://fedoraproject.org/wiki/Features/PackageKitCommandNotFound
Comment 2 Kalev Lember 2015-05-28 09:40:45 UTC 
It's by design that admin users (in the wheel group) can install software without having to enter a password. See https://fedorahosted.org/fesco/ticket/1115#comment:18 and the discussion in the ticket for background information.
Comment 3 Sascha Zantis 2015-05-28 09:51:38 UTC 
Thanks for clarification.