Bug 1299824 - DNF does download packages, but does not install them
DNF does download packages, but does not install them
Product: Fedora
Classification: Fedora
Component: dnf (Show other bugs)
x86_64 Linux
unspecified Severity medium
: ---
: ---
Assigned To: packaging-team-maint
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2016-01-19 05:49 EST by customercare
Modified: 2016-01-19 11:29 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-01-19 11:29:16 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description customercare 2016-01-19 05:49:02 EST
Description of problem:

ANY USER on a system can enter "dnf update" and dnf will fetch the packages,
download them, but does not install them; out of security reasons as the user isn't root.

Instead of downloading them first and repelling the user afterwards, 
downloading should not be allowed in the first place, like yum did it.

In consequence, a user can use dnf to fill the system partition with packages.
With a small system partition size, this can be a problem for the system.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. login as user A != root
2. dnf update 
3. the rest is selfexplaining

Actual results:

tons of downloaded  packages

Expected results:

early abort out of security reasons.

Additional info:

dnf makecache works also as != ROOT..
Comment 1 Michal Luscon 2016-01-19 11:29:16 EST

dnf uses different cache directories for nonroot users inside /tmp and also downloads packages into these directories. You may find useful the noroot plugin from dnf-plugins-core.

Note You need to log in before you can comment on or make changes to this bug.