Bug 240110 - pup updater doesn't have "privileged user" option for updates
Summary: pup updater doesn't have "privileged user" option for updates
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: usermode   
(Show other bugs)
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Miloslav Trmač
QA Contact: David Lawrence
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-05-15 09:24 UTC by Valent Turkovic
Modified: 2014-01-21 22:58 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-21 16:50:09 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Valent Turkovic 2007-05-15 09:24:44 UTC
Description of problem:
I tested OpenSuse and Ubuntu and I saw that they offer an option to add
privileged user to their update systems so that there is no need to type the
root password every time you need to do an update. I find this a great option!

Version-Release number of selected component (if applicable):


How reproducible:
Every time there is an update

Steps to Reproduce:
1. Wait till there is an update
2. Click on puplet info window
3. Enter root password once more
  
Actual results:


Expected results:
Just click on "Install updates" if I'm a privileged user, and system installs
all updates automatically. 

Additional info:
Fedora 7 test 4 with latest updates

Comment 1 Jeremy Katz 2007-05-15 15:06:00 UTC
Doing this on a per-app basis is crazy.  If something like this is going to be
enabled, it should be done more globally in consolehelper (potentially by making
consolehelper just sit on top of PolicyKit which has some things like that)

Comment 2 Miloslav Trmač 2007-05-15 19:34:02 UTC
This can be implemented by setting UGROUPS=privileged_user_group in
/etc/security/console.apps/* and modifying /etc/pam.d/config-util not to require
a password for users in privileged_user_group.

Fedora does not currently have a "privileged_user_group" though, and I'm not
sure it should have one.  If privileged_user, a member of privileged_user_group,
can install software without entering any password, any security vulnerability
that makes it possible to run arbitrary code as privileged_user would also make
it possible to run arbitrary code as root.

Comment 3 Valent Turkovic 2007-05-17 07:00:22 UTC
Leting some user be a root user without a password is crazy. If PolicyKit is
made for per-app privileges then I hail it - if would make update system much
more user friendly and much more usable. Plus if you could choose what kind of
updates to see in pup - ie. only security updates only, or system+desktop
updates or updates for all installed packages - that would be great.

Comment 4 Valent Turkovic 2008-01-21 11:35:50 UTC
Is there a possibility of this being added to F9? I have F8 and I can't see the
point of me entering password for updates all the time. There should be an
option "allow this user to always update" - and that should work with policykit
in order to make this possible.-

Comment 5 Valent Turkovic 2008-01-21 11:50:34 UTC
If I read this link correctly [1] then this issue is already solved in rawhide
and it will be in Fedora 9.

Cool.

[1] http://fedoraproject.org/wiki/Interviews/PackageKit

Comment 6 Miloslav Trmač 2008-01-21 16:50:09 UTC
(In reply to comment #4)
> Is there a possibility of this being added to F9?
Not in usermode.  As you have already noticed, PackageKit + PolicyKit provide
such fine-grained configuration options.

If you want to create a system-wide privileged users, you can now do it easier
than in F8 (due to #426095, you can edit only /etc/pam.d/config-util and
/etc/security/console.apps/config-util instead of configuring each
system-config-* separately), but usermode has no control over the applications
it executes.


Note You need to log in before you can comment on or make changes to this bug.