Description of problem: ANY USER on a system can enter "dnf update" and dnf will fetch the packages, download them, but does not install them; out of security reasons as the user isn't root. Instead of downloading them first and repelling the user afterwards, downloading should not be allowed in the first place, like yum did it. In consequence, a user can use dnf to fill the system partition with packages. With a small system partition size, this can be a problem for the system. Version-Release number of selected component (if applicable): 1.1.5 How reproducible: 100% Steps to Reproduce: 1. login as user A != root 2. dnf update 3. the rest is selfexplaining Actual results: tons of downloaded packages Expected results: early abort out of security reasons. Additional info: dnf makecache works also as != ROOT..
Hi, dnf uses different cache directories for nonroot users inside /tmp and also downloads packages into these directories. You may find useful the noroot plugin from dnf-plugins-core.