Bug 1299824

Summary: DNF does download packages, but does not install them
Product: [Fedora] Fedora Reporter: customercare
Component: dnfAssignee: Packaging Maintenance Team <packaging-team-maint>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 23CC: jsilhan, mluscon, packaging-team-maint, pnemade, vmukhame
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-19 16:29:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description customercare 2016-01-19 10:49:02 UTC 
Description of problem:

ANY USER on a system can enter "dnf update" and dnf will fetch the packages,
download them, but does not install them; out of security reasons as the user isn't root.

Instead of downloading them first and repelling the user afterwards, 
downloading should not be allowed in the first place, like yum did it.

In consequence, a user can use dnf to fill the system partition with packages.
With a small system partition size, this can be a problem for the system.



Version-Release number of selected component (if applicable):

1.1.5

How reproducible:

100%

Steps to Reproduce:
1. login as user A != root
2. dnf update 
3. the rest is selfexplaining

Actual results:

tons of downloaded  packages

Expected results:

early abort out of security reasons.

Additional info:

dnf makecache works also as != ROOT..
Comment 1 Michal Luscon 2016-01-19 16:29:16 UTC 
Hi,

dnf uses different cache directories for nonroot users inside /tmp and also downloads packages into these directories. You may find useful the noroot plugin from dnf-plugins-core.