Bug 240110

Summary: pup updater doesn't have "privileged user" option for updates
Product: [Fedora] Fedora Reporter: Valent Turkovic <valent.turkovic>
Component: usermodeAssignee: Miloslav Trmač <mitr>
Status: CLOSED WONTFIX QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-21 16:50:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Valent Turkovic 2007-05-15 09:24:44 UTC 
Description of problem:
I tested OpenSuse and Ubuntu and I saw that they offer an option to add
privileged user to their update systems so that there is no need to type the
root password every time you need to do an update. I find this a great option!

Version-Release number of selected component (if applicable):


How reproducible:
Every time there is an update

Steps to Reproduce:
1. Wait till there is an update
2. Click on puplet info window
3. Enter root password once more
  
Actual results:


Expected results:
Just click on "Install updates" if I'm a privileged user, and system installs
all updates automatically. 

Additional info:
Fedora 7 test 4 with latest updates
Comment 1 Jeremy Katz 2007-05-15 15:06:00 UTC 
Doing this on a per-app basis is crazy.  If something like this is going to be
enabled, it should be done more globally in consolehelper (potentially by making
consolehelper just sit on top of PolicyKit which has some things like that)
Comment 2 Miloslav Trmač 2007-05-15 19:34:02 UTC 
This can be implemented by setting UGROUPS=privileged_user_group in
/etc/security/console.apps/* and modifying /etc/pam.d/config-util not to require
a password for users in privileged_user_group.

Fedora does not currently have a "privileged_user_group" though, and I'm not
sure it should have one.  If privileged_user, a member of privileged_user_group,
can install software without entering any password, any security vulnerability
that makes it possible to run arbitrary code as privileged_user would also make
it possible to run arbitrary code as root.
Comment 3 Valent Turkovic 2007-05-17 07:00:22 UTC 
Leting some user be a root user without a password is crazy. If PolicyKit is
made for per-app privileges then I hail it - if would make update system much
more user friendly and much more usable. Plus if you could choose what kind of
updates to see in pup - ie. only security updates only, or system+desktop
updates or updates for all installed packages - that would be great.
Comment 4 Valent Turkovic 2008-01-21 11:35:50 UTC 
Is there a possibility of this being added to F9? I have F8 and I can't see the
point of me entering password for updates all the time. There should be an
option "allow this user to always update" - and that should work with policykit
in order to make this possible.-
Comment 5 Valent Turkovic 2008-01-21 11:50:34 UTC 
If I read this link correctly [1] then this issue is already solved in rawhide
and it will be in Fedora 9.

Cool.

[1] http://fedoraproject.org/wiki/Interviews/PackageKit
Comment 6 Miloslav Trmač 2008-01-21 16:50:09 UTC 
(In reply to comment #4)
> Is there a possibility of this being added to F9?
Not in usermode.  As you have already noticed, PackageKit + PolicyKit provide
such fine-grained configuration options.

If you want to create a system-wide privileged users, you can now do it easier
than in F8 (due to #426095, you can edit only /etc/pam.d/config-util and
/etc/security/console.apps/config-util instead of configuring each
system-config-* separately), but usermode has no control over the applications
it executes.