Red Hat Bugzilla – Bug 240110
pup updater doesn't have "privileged user" option for updates
Last modified: 2014-01-21 17:58:11 EST
Description of problem:
I tested OpenSuse and Ubuntu and I saw that they offer an option to add
privileged user to their update systems so that there is no need to type the
root password every time you need to do an update. I find this a great option!
Version-Release number of selected component (if applicable):
Every time there is an update
Steps to Reproduce:
1. Wait till there is an update
2. Click on puplet info window
3. Enter root password once more
Just click on "Install updates" if I'm a privileged user, and system installs
all updates automatically.
Fedora 7 test 4 with latest updates
Doing this on a per-app basis is crazy. If something like this is going to be
enabled, it should be done more globally in consolehelper (potentially by making
consolehelper just sit on top of PolicyKit which has some things like that)
This can be implemented by setting UGROUPS=privileged_user_group in
/etc/security/console.apps/* and modifying /etc/pam.d/config-util not to require
a password for users in privileged_user_group.
Fedora does not currently have a "privileged_user_group" though, and I'm not
sure it should have one. If privileged_user, a member of privileged_user_group,
can install software without entering any password, any security vulnerability
that makes it possible to run arbitrary code as privileged_user would also make
it possible to run arbitrary code as root.
Leting some user be a root user without a password is crazy. If PolicyKit is
made for per-app privileges then I hail it - if would make update system much
more user friendly and much more usable. Plus if you could choose what kind of
updates to see in pup - ie. only security updates only, or system+desktop
updates or updates for all installed packages - that would be great.
Is there a possibility of this being added to F9? I have F8 and I can't see the
point of me entering password for updates all the time. There should be an
option "allow this user to always update" - and that should work with policykit
in order to make this possible.-
If I read this link correctly  then this issue is already solved in rawhide
and it will be in Fedora 9.
(In reply to comment #4)
> Is there a possibility of this being added to F9?
Not in usermode. As you have already noticed, PackageKit + PolicyKit provide
such fine-grained configuration options.
If you want to create a system-wide privileged users, you can now do it easier
than in F8 (due to #426095, you can edit only /etc/pam.d/config-util and
/etc/security/console.apps/config-util instead of configuring each
system-config-* separately), but usermode has no control over the applications