Bug 975214 - Implement package installation policy agreed in FESCo #1115
Implement package installation policy agreed in FESCo #1115
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: PackageKit (Show other bugs)
19
All All
unspecified Severity urgent
: ---
: ---
Assigned To: Richard Hughes
Fedora Extras Quality Assurance
AcceptedFreezeException
:
Depends On:
Blocks: F19-accepted/F19FinalFreezeException
  Show dependency treegraph
 
Reported: 2013-06-17 16:14 EDT by Adam Williamson
Modified: 2013-06-23 02:25 EDT (History)
9 users (show)

See Also:
Fixed In Version: PackageKit-0.8.9-5.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-06-23 02:25:15 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Williamson 2013-06-17 16:14:41 EDT
A changed PolicyKit policy for package installation was agreed upon in https://fedorahosted.org/fesco/ticket/1115 , but apparently never implemented. It needs to be implemented for final release.

I cannot nominate this as a release blocking bug per the blocker process as it doesn't violate any release criteria. FESCo is expected to have its own mechanism for tracking issues that must be resolved prior to release relating to FESCo decisions. However, I'm nominating it as a freeze exception bug as it will need a freeze exception to be taken after the impending final release freeze.
Comment 1 Adam Williamson 2013-06-17 16:18:03 EDT
Patch from Notting was provided in #1115:

https://fedorahosted.org/fesco/ticket/1115#comment:20



For the javascript, put the following in /usr/share/polkit-1/rules.d/packagekit.rules:

polkit.addRule(function(action, subject) {
    if ((action.id == "org.freedesktop.packagekit.package-install" ||
        action.id == "org.freedesktop.packagekit.package-remove" ||
        action.id == "org.freedesktop.packagekit.system-update" ||
        action.id == "org.freedesktop.packagekit.trigger-offline-update") &&
        subject.active == true && subject.local == true &&
        subject.isInGroup("wheel")) {
            return polkit.Result.YES;
    }
});

(Holler if I got the full list of methods wrong, but it definitely works for the package install case). Then the recent changes for allow_active for these methods would change back from 'yes' to 'auth_admin_keep'.
Comment 2 Richard Hughes 2013-06-18 04:11:19 EDT
Can someone test the PackageKit package here please: http://people.freedesktop.org/~hughsient/fedora/ -- if that works I'll spin a new upstream release and push it into F19. Thanks.
Comment 3 Fedora Update System 2013-06-18 07:20:48 EDT
PackageKit-0.8.9-5.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/PackageKit-0.8.9-5.fc19
Comment 4 Fedora Update System 2013-06-18 15:42:24 EDT
Package PackageKit-0.8.9-5.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing PackageKit-0.8.9-5.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-11181/PackageKit-0.8.9-5.fc19
then log in and leave karma (feedback).
Comment 5 Adam Williamson 2013-06-18 20:30:46 EDT
I confirm at least the following:

* Without the update, a non-admin user can 'pkcon install' any package from the repos
* With the update, a non-admin user cannot 'pkcon install' anything without the root password
* With the update, an admin user can 'pkcon remove' a package (but I was asked for the user's password)
* With the update, an admin user can 'pkcon install' a package without authentication (though it may have been cached from the 'pkcon remove')

Definitely looks like an 'improvement'.
Comment 6 Adam Williamson 2013-06-19 14:15:48 EDT
Discussed at 2013-06-19 freeze exception review meeting: http://meetbot.fedoraproject.org/fedora-blocker-review/2013-06-19/f19final-blocker-review-7.2013-06-19-16.01.log.txt . Accepted as a freeze exception issue, FESCo is mandating this be fixed before Final so obviously it gets a freeze exception. (This is basically a 'blocker bug', but there's some boring process argumentation about whether it should be denoted a FinalBlocker or whether it's FESCo's job to track it, but it definitely needs FE status).
Comment 7 Fedora Update System 2013-06-23 02:25:15 EDT
PackageKit-0.8.9-5.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.