Bug 975214
Summary: | Implement package installation policy agreed in FESCo #1115 | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Adam Williamson <awilliam> |
Component: | PackageKit | Assignee: | Richard Hughes <rhughes> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | urgent | Docs Contact: | |
Priority: | unspecified | ||
Version: | 19 | CC: | a.badger, jonathan, mclasen, mitr, notting, rdieter, rhughes, sgallagh, smparrish |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | All | ||
Whiteboard: | AcceptedFreezeException | ||
Fixed In Version: | PackageKit-0.8.9-5.fc19 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-06-23 06:25:15 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 834091 |
Description
Adam Williamson
2013-06-17 20:14:41 UTC
Patch from Notting was provided in #1115: https://fedorahosted.org/fesco/ticket/1115#comment:20 For the javascript, put the following in /usr/share/polkit-1/rules.d/packagekit.rules: polkit.addRule(function(action, subject) { if ((action.id == "org.freedesktop.packagekit.package-install" || action.id == "org.freedesktop.packagekit.package-remove" || action.id == "org.freedesktop.packagekit.system-update" || action.id == "org.freedesktop.packagekit.trigger-offline-update") && subject.active == true && subject.local == true && subject.isInGroup("wheel")) { return polkit.Result.YES; } }); (Holler if I got the full list of methods wrong, but it definitely works for the package install case). Then the recent changes for allow_active for these methods would change back from 'yes' to 'auth_admin_keep'. Can someone test the PackageKit package here please: http://people.freedesktop.org/~hughsient/fedora/ -- if that works I'll spin a new upstream release and push it into F19. Thanks. PackageKit-0.8.9-5.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/PackageKit-0.8.9-5.fc19 Package PackageKit-0.8.9-5.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing PackageKit-0.8.9-5.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-11181/PackageKit-0.8.9-5.fc19 then log in and leave karma (feedback). I confirm at least the following: * Without the update, a non-admin user can 'pkcon install' any package from the repos * With the update, a non-admin user cannot 'pkcon install' anything without the root password * With the update, an admin user can 'pkcon remove' a package (but I was asked for the user's password) * With the update, an admin user can 'pkcon install' a package without authentication (though it may have been cached from the 'pkcon remove') Definitely looks like an 'improvement'. Discussed at 2013-06-19 freeze exception review meeting: http://meetbot.fedoraproject.org/fedora-blocker-review/2013-06-19/f19final-blocker-review-7.2013-06-19-16.01.log.txt . Accepted as a freeze exception issue, FESCo is mandating this be fixed before Final so obviously it gets a freeze exception. (This is basically a 'blocker bug', but there's some boring process argumentation about whether it should be denoted a FinalBlocker or whether it's FESCo's job to track it, but it definitely needs FE status). PackageKit-0.8.9-5.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. |