Bug 975214

Summary: Implement package installation policy agreed in FESCo #1115
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: PackageKitAssignee: Richard Hughes <rhughes>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 19CC: a.badger, jonathan, mclasen, mitr, notting, rdieter, rhughes, sgallagh, smparrish
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard: AcceptedFreezeException
Fixed In Version: PackageKit-0.8.9-5.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-06-23 06:25:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 834091    

Description Adam Williamson 2013-06-17 20:14:41 UTC
A changed PolicyKit policy for package installation was agreed upon in https://fedorahosted.org/fesco/ticket/1115 , but apparently never implemented. It needs to be implemented for final release.

I cannot nominate this as a release blocking bug per the blocker process as it doesn't violate any release criteria. FESCo is expected to have its own mechanism for tracking issues that must be resolved prior to release relating to FESCo decisions. However, I'm nominating it as a freeze exception bug as it will need a freeze exception to be taken after the impending final release freeze.

Comment 1 Adam Williamson 2013-06-17 20:18:03 UTC
Patch from Notting was provided in #1115:

https://fedorahosted.org/fesco/ticket/1115#comment:20



For the javascript, put the following in /usr/share/polkit-1/rules.d/packagekit.rules:

polkit.addRule(function(action, subject) {
    if ((action.id == "org.freedesktop.packagekit.package-install" ||
        action.id == "org.freedesktop.packagekit.package-remove" ||
        action.id == "org.freedesktop.packagekit.system-update" ||
        action.id == "org.freedesktop.packagekit.trigger-offline-update") &&
        subject.active == true && subject.local == true &&
        subject.isInGroup("wheel")) {
            return polkit.Result.YES;
    }
});

(Holler if I got the full list of methods wrong, but it definitely works for the package install case). Then the recent changes for allow_active for these methods would change back from 'yes' to 'auth_admin_keep'.

Comment 2 Richard Hughes 2013-06-18 08:11:19 UTC
Can someone test the PackageKit package here please: http://people.freedesktop.org/~hughsient/fedora/ -- if that works I'll spin a new upstream release and push it into F19. Thanks.

Comment 3 Fedora Update System 2013-06-18 11:20:48 UTC
PackageKit-0.8.9-5.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/PackageKit-0.8.9-5.fc19

Comment 4 Fedora Update System 2013-06-18 19:42:24 UTC
Package PackageKit-0.8.9-5.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing PackageKit-0.8.9-5.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-11181/PackageKit-0.8.9-5.fc19
then log in and leave karma (feedback).

Comment 5 Adam Williamson 2013-06-19 00:30:46 UTC
I confirm at least the following:

* Without the update, a non-admin user can 'pkcon install' any package from the repos
* With the update, a non-admin user cannot 'pkcon install' anything without the root password
* With the update, an admin user can 'pkcon remove' a package (but I was asked for the user's password)
* With the update, an admin user can 'pkcon install' a package without authentication (though it may have been cached from the 'pkcon remove')

Definitely looks like an 'improvement'.

Comment 6 Adam Williamson 2013-06-19 18:15:48 UTC
Discussed at 2013-06-19 freeze exception review meeting: http://meetbot.fedoraproject.org/fedora-blocker-review/2013-06-19/f19final-blocker-review-7.2013-06-19-16.01.log.txt . Accepted as a freeze exception issue, FESCo is mandating this be fixed before Final so obviously it gets a freeze exception. (This is basically a 'blocker bug', but there's some boring process argumentation about whether it should be denoted a FinalBlocker or whether it's FESCo's job to track it, but it definitely needs FE status).

Comment 7 Fedora Update System 2013-06-23 06:25:15 UTC
PackageKit-0.8.9-5.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.