Bug 888083
Summary: | Guest normal account can click and initiate a Fedora 18/19 software update without submitting to password security check. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Leslie Satenstein <lsatenstein> |
Component: | up2date | Assignee: | Adrian Likins <alikins> |
Status: | CLOSED CANTFIX | QA Contact: | Beth Nackashi <bnackash> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | rawhide | CC: | lsatenstein |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
Cause: System maintainer is responsible for all software versions and patch levels on his system.
Consequence:
Fix:
Result:
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2015-02-13 21:54:29 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Leslie Satenstein
2012-12-18 00:15:29 UTC
Fedora 18 DVD Jan 15th version From a guest account I am able to start a software update. Only via an account with root privileges (root, or via sudo) should updates be permitted. Here is the result of my test result. The guest account is a normal (no administrator) privileges). There is no request for authorisation. Start Add/remove software, From Software Menu icon, click on it and select Check for Updates The result is that the linux system is updated. Why this should not be. We may have some application, database, network, or business application that needs execution with the linux system as it is. By the non-authorized user, the updates were selected and applied, and with a kernel update, a reboot was required. This reboot caused previous program(s) to fail. Only via root privileges should an update be permitted. Is my guest account (non administrator) going to initiate updates without providing a password? Suppose I am running an application that requires a very specific version of installed software, and the normal user selects software update. My specific version of software may be overwritten, which means that other applications that will call the reserved version could fail. We don't stand behind the user, watching what he does. He may trigger an update. One option-- Require software updates to always require root privileges 2nd option-- Provide a blocking option as within yum such as exclude= 3rd option-- Do not show software selection for a normal user account. Implement or indicate if it is a do-not-fix or will be fixed, and fix it. This bug is a request to fix an insecurity problem. A standard user should not be allowed to trigger software updates. Refer to comment 3 above if guest user issues sudo, and is not in wheel group, user is blocked. |