Community Packages

Please read this before reporting a bug:
http://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#50459 - [packagekit] Root privileges to upgrade the system and to install software by default.

Attached to Project: Community Packages
Opened by Éter (AqaIb) - Saturday, 20 August 2016, 17:02 GMT
Last edited by Doug Newgard (Scimmia) - Monday, 22 August 2016, 12:25 GMT
Task Type Bug Report
Category Packages
Status Assigned
Assigned To Christian Hesse (eworm)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 5
Private No

Details

Description:
Using packagekit through discover and gnome-software, I have the ability to install software from the repositories and to upgrade the system without entering the admin password. This behaviour comes by default from upstream.

To be able to upgrade the system, you don't need anymore than a normal user. It is coded in the following file:

"/usr/share/polkit-1/actions/org.freedesktop.packagekit.policy"
<action id="org.freedesktop.packagekit.system-update">
<!-- SECURITY:
- Normal users do not require admin authentication to update the
system as the packages will be signed, and the action is required
to update the system when unattended.
- Changing this to anything other than 'yes' will break unattended
updates.
-->

To be able to install software from the repositories without the admin password, the user must be in the "wheel" group. It is coded in the following file:
"/usr/share/polkit-1/rules.d/org.freedesktop.packagekit.rules"
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.packagekit.package-install" &&
subject.active == true && subject.local == true &&
subject.isInGroup("wheel")) {
return polkit.Result.YES;
}
});

Although upstream think that these two options are not security issues, I think that upstream thinks more in terms of ease of use than in terms of security, but that is only my opinion and I am not cualified enough to emit a veredict. I report this because I think that these two options should ask for the admin password by default, giving the option for not asking it only as optional for users/distros that prefer less secure but easier methods.

Sincerely,
Aqa-Ib.

Additional info:
* package version(s): 1.1.3-1

Steps to reproduce:
For upgrading without password:
1. Install discover or gnome-software
2. Upgrade the system using discover or gnome software.

For installing software from the repositories without password:
A. Put your normal user in the wheel group.
B. Install any software from the repositories using discover or gnome software.
This task depends upon

Comment by Éter (AqaIb) - Saturday, 20 August 2016, 19:51 GMT
(Sorry, I forgot to add brackets to packagekit at the summary).
Comment by Doug Newgard (Scimmia) - Monday, 22 August 2016, 12:25 GMT
If you're in the "wheel" group, this is kind of expected. That's what the "wheel" group is for.
Comment by Éter (AqaIb) - Monday, 22 August 2016, 14:16 GMT
Just to clarify, to upgrade the system without the admin password you don't need to be in the wheel group.
Comment by Sharad (docbroke) - Friday, 17 March 2017, 11:59 GMT
I don't think users in "wheel" group can install packages with pacman without using sudo.
This package was installed on my system as dependency of simple-scan, which shall not need to install packages without root previlages AFAIK.

Loading...