Bug 1299824 - DNF does download packages, but does not install them
Summary: DNF does download packages, but does not install them
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: dnf
Version: 23
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Packaging Maintenance Team
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-01-19 10:49 UTC by customercare
Modified: 2016-01-19 16:29 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-01-19 16:29:16 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description customercare 2016-01-19 10:49:02 UTC 
Description of problem:

ANY USER on a system can enter "dnf update" and dnf will fetch the packages,
download them, but does not install them; out of security reasons as the user isn't root.

Instead of downloading them first and repelling the user afterwards, 
downloading should not be allowed in the first place, like yum did it.

In consequence, a user can use dnf to fill the system partition with packages.
With a small system partition size, this can be a problem for the system.



Version-Release number of selected component (if applicable):

1.1.5

How reproducible:

100%

Steps to Reproduce:
1. login as user A != root
2. dnf update 
3. the rest is selfexplaining

Actual results:

tons of downloaded  packages

Expected results:

early abort out of security reasons.

Additional info:

dnf makecache works also as != ROOT..
Comment 1 Michal Luscon 2016-01-19 16:29:16 UTC 
Hi,

dnf uses different cache directories for nonroot users inside /tmp and also downloads packages into these directories. You may find useful the noroot plugin from dnf-plugins-core.
Note You need to log in before you can comment on or make changes to this bug.