Red Hat Bugzilla – Bug 888083
Guest normal account can click and initiate a Fedora 18/19 software update without submitting to password security check.
Last modified: 2015-02-13 16:54:29 EST
Description of problem:
Normal user triggers and installs software updates with no password request.
Fedora 18 TC2 Release Candidate.
One account is with Administrator privileges
One account is with normal user privileges (title is guest)
The guest account user clicked on add/remove software, and then selected software update, which in the menu for the former.
It resulted in the automatic search for and installation of updates.
Should any regular normal user be allowed to install updates without providing the administrator password, and without being a member of the wheel group?
This means that a normal user of Fedora 18 can trigger and install updates without root or administrator's concent.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Fedora 18 DVD Jan 15th version
From a guest account I am able to start a software update.
Only via an account with root privileges (root, or via sudo) should updates be permitted.
Here is the result of my test result.
The guest account is a normal (no administrator) privileges). There is no request for authorisation.
Start Add/remove software,
From Software Menu icon, click on it and select Check for Updates
The result is that the linux system is updated.
Why this should not be.
We may have some application, database, network, or business application that needs execution with the linux system as it is.
By the non-authorized user, the updates were selected and applied, and with a kernel update, a reboot was required. This reboot caused previous program(s) to fail.
Only via root privileges should an update be permitted.
Is my guest account (non administrator) going to initiate updates without providing a password?
Suppose I am running an application that requires a very specific version of installed software, and the normal user selects software update. My specific version of software may be overwritten, which means that other applications that will call the reserved version could fail.
We don't stand behind the user, watching what he does. He may trigger an update.
One option-- Require software updates to always require root privileges
2nd option-- Provide a blocking option as within yum such as exclude=
3rd option-- Do not show software selection for a normal user account.
Implement or indicate if it is a do-not-fix or will be fixed, and fix it.
This bug is a request to fix an insecurity problem.
A standard user should not be allowed to trigger software updates. Refer to comment 3 above
if guest user issues sudo, and is not in wheel group, user is blocked.