Description of problem: I installed a command-not-found plugin in my zsh which is a wrapper to /usr/libexec/pk-command-not-found. It is able to install packages without asking for the sudo password. There is no sudo cache stuff happening, I tried that immediately after boot. I pasted the output here: http://fpaste.org/226426/32803337/ Version-Release number of selected component (if applicable): Fedora 22, PackageKit-command-not-found-1.0.6-4.fc22.x86_64 How reproducible: Always Steps to Reproduce: 1. call /usr/libexec/pk-command-not-found with a package name Actual results: The package is installed and started without asking for sudo authentication. Expected results: I am asked for a sudo password. Additional info: I heard that something like this (letting users install packages without sudo) was discussed a year or two ago, but I did not expect that to be "normal" now. I also created a screenshot that shows 2 terminals. In the left terminal, inkscape is removed with sudo dnf remove, in the right terminal (which is a new session) inkscape is installed via the zsh plugin that calls /usr/libexec/pk-command-not-found. To show that there is no sudo caching happening, I started sudo -i after that which would not need a password if anything was cached but does ask for a password (as expected). https://i.imgur.com/VwAKhsR.png
This sounds like a security issue. Please make this report protected (not public to everyone), thanks. Feature since Fedora 12 as of 2009-08-07 . https://fedoraproject.org/wiki/Features/PackageKitCommandNotFound
It's by design that admin users (in the wheel group) can install software without having to enter a password. See https://fedorahosted.org/fesco/ticket/1115#comment:18 and the discussion in the ticket for background information.
Thanks for clarification.