485117 – Request for Enhancement: Permit Remote Execution of PackageKit under PolicyKit control

Bug 485117 - Request for Enhancement: Permit Remote Execution of PackageKit under PolicyKit control

Summary: Request for Enhancement: Permit Remote Execution of PackageKit under PolicyKi...

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	PackageKit
Sub Component:
Version:	10
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Richard Hughes
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-02-11 17:34 UTC by bob mckay
Modified:	2009-06-03 08:57 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2009-06-03 08:57:57 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description bob mckay 2009-02-11 17:34:51 UTC

Description of problem:
PackageKit currently has hard-coded that remote execution (eg via ssh-tunneled VNC or NX) is not possible. This means that the only ways to update systems headlessly are either:
.to open up X11 security holes or
.to use command line updating and forego all the benefits of PackageKit
Both cause real problems for admins.

Version-Release number of selected component (if applicable): all current versions
How reproducible: Always

Steps to Reproduce:
1. Run PackageKit from a remote terminal

Actual results:
Refuses to run, and no mechanism to permit PolicyKit to override this

Expected results:
Packagekit allows policy to permit remote execution

Additional info:
I may be missing the point, but this hard-coding of no remote use seems to cut against the whole philosophy of PolicyKit: that the admin should be able to configure system security policies to suit the particular installation, because system developers can't anticipate all the relevant combinations of circumstances. It seems in this case that PolicyKit and the policy tool provide the mechanisms necessary for admins to set such policies, but PackageKit ignores them - see lines in gpk-common.c folowing
/* we are not local */
ret = egg_console_kit_is_local (ck);
if (!ret) {

I can understand why this test has been included; without it, the default PackageKit operations would be available to potentially unchecked and malicious remote users, unless re-configured by admins. This is probably not desirable. However it seems to me that there is a better way, more in harmony with PolicyKit philosophy. That is, to add an additional PolicyKit action, namely "Run PackageKit". The default settings for this action would be that it was only allowed from the Console (thus the egg_console_kit_is_local call above could be replaced by a call to PolicyKit, and would have the same result under the default settings). However it would allow admins to permit remote use of PackageKit under whatever circumstances they deemed appropriate, by changing from the defaults.

I would like to add that, if the current version hits RHEL, the anguish of sysadmins will be heard from a long way off. Headless administration may not be too common among Fedora users, but it will be a huge issue for RHEL.

Comment 1 Richard Hughes 2009-03-04 09:21:27 UTC

I've applied this upstream:

commit 4a26e36c897e5d52fc756607e5eb54745f2d8f7a
Author: Richard Hughes <richard>
Date:   Mon Mar 2 10:39:20 2009 +0000

    bugfix: don't check for local or active for all the GUI tools, else we can't use these tools using vncviewer

Note You need to log in before you can comment on or make changes to this bug.