Bug 460908 - "Remember Auth" possible when installing unsigned RPM
"Remember Auth" possible when installing unsigned RPM
Product: Fedora
Classification: Fedora
Component: PackageKit (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Robin Norwood
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-09-02 11:31 EDT by Martin Jürgens
Modified: 2008-09-03 14:44 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-09-03 14:44:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
screnshot (23.71 KB, image/png)
2008-09-02 16:56 EDT, Martin Jürgens
no flags Details

  None (edit)
Description Martin Jürgens 2008-09-02 11:31:09 EDT
Well with recent PackageKit in Fedora 9 it is possible to Remember the Authentification (even checked by default) when installing an unsigned RPM.

Could be a potential security risk when the user does not double check when entering the password.
Comment 1 Richard Hughes 2008-09-02 11:58:48 EDT
Are you sure? I get the chance to remember auth on the first stage install (trusted) and then get to re-authenticate without the chance to retain if the package is really unsigned. Can you describe what dialogs you see?
Comment 2 Martin Jürgens 2008-09-02 16:56:20 EDT
Created attachment 315600 [details]

well this is what i get when i try to install the flash player rpm from http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash&Lang=German&promoid=COYSZ 

i noticed that "remember authorization" is checked by default, so when i enter my password and leave it checked, it should theoretically possible to install all local rpms without any further passwords, shouldn't it? i hope this answers your question.
Comment 3 Richard Hughes 2008-09-03 03:45:00 EDT
You're seeing the first stage in the trusted dance (see http://www.packagekit.org/gtk-doc/introduction-ideas-transactions.html for more information) -- the second stage will no have a remember authentication step if the file does not have a recognised key.
Comment 4 Martin Jürgens 2008-09-03 14:44:30 EDT
good. sorry for bugging you.

Note You need to log in before you can comment on or make changes to this bug.