FS#50459 - [packagekit] Root privileges to upgrade the system and to install software by default.

Attached to Project: Community Packages
Opened by Éter (AqaIb) - Saturday, 20 August 2016, 17:02 GMT
Last edited by Jelle van der Waa (jelly) - Thursday, 28 September 2023, 16:21 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Christian Hesse (eworm)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 5
Private No

Details

Description:
Using packagekit through discover and gnome-software, I have the ability to install software from the repositories and to upgrade the system without entering the admin password. This behaviour comes by default from upstream.

To be able to upgrade the system, you don't need anymore than a normal user. It is coded in the following file:

"/usr/share/polkit-1/actions/org.freedesktop.packagekit.policy"
<action id="org.freedesktop.packagekit.system-update">
<!-- SECURITY:
- Normal users do not require admin authentication to update the
system as the packages will be signed, and the action is required
to update the system when unattended.
- Changing this to anything other than 'yes' will break unattended
updates.
-->

To be able to install software from the repositories without the admin password, the user must be in the "wheel" group. It is coded in the following file:
"/usr/share/polkit-1/rules.d/org.freedesktop.packagekit.rules"
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.packagekit.package-install" &&
subject.active == true && subject.local == true &&
subject.isInGroup("wheel")) {
return polkit.Result.YES;
}
});

Although upstream think that these two options are not security issues, I think that upstream thinks more in terms of ease of use than in terms of security, but that is only my opinion and I am not cualified enough to emit a veredict. I report this because I think that these two options should ask for the admin password by default, giving the option for not asking it only as optional for users/distros that prefer less secure but easier methods.

Sincerely,
Aqa-Ib.

Additional info:
* package version(s): 1.1.3-1

Steps to reproduce:
For upgrading without password:
1. Install discover or gnome-software
2. Upgrade the system using discover or gnome software.

For installing software from the repositories without password:
A. Put your normal user in the wheel group.
B. Install any software from the repositories using discover or gnome software.
This task depends upon

Closed by  Jelle van der Waa (jelly)
Thursday, 28 September 2023, 16:21 GMT
Reason for closing:  Not a bug
Additional comments about closing:  a wheel user is considered an admin so this is expected
Comment by Éter (AqaIb) - Saturday, 20 August 2016, 19:51 GMT
(Sorry, I forgot to add brackets to packagekit at the summary).
Comment by Doug Newgard (Scimmia) - Monday, 22 August 2016, 12:25 GMT
If you're in the "wheel" group, this is kind of expected. That's what the "wheel" group is for.
Comment by Éter (AqaIb) - Monday, 22 August 2016, 14:16 GMT
Just to clarify, to upgrade the system without the admin password you don't need to be in the wheel group.
Comment by Sharad (docbroke) - Friday, 17 March 2017, 11:59 GMT
I don't think users in "wheel" group can install packages with pacman without using sudo.
This package was installed on my system as dependency of simple-scan, which shall not need to install packages without root previlages AFAIK.
Comment by Dominik Kummer (arkades) - Tuesday, 21 September 2021, 10:18 GMT
"sudo" group can install everything (with pacman), "wheel" group can install everything listed in /etc/PackageKit/alpm.d/groups.list with e.g. Discover, right? We asume that Sysadmin has to add users to "wheel" group, and that Sysadmin knows what this group is for.
Vendors could/should maintain secure/tested/lts Mirrors and adapt /etc/PackageKit/alpm.d/pacman.conf accordingly for professional environments, I guess.
Comment by Buggy McBugFace (bugbot) - Tuesday, 08 August 2023, 19:11 GMT
This is an automated comment as this bug is open for more then 2 years. Please reply if you still experience this bug otherwise this issue will be closed after 1 month.

Loading...