Fedora to allow the installation of packages, without root privileges?
A "bug" created back in November against the latest Fedora release (12) indicates that, through the GUI, desktop users of the Fedora system are able to install signed packages without root privileges or root authentication. Yes, you just read that correctly. (I'll give you a second re-read that sentence so I don't have to retype it.) Yes, "it's a feature, not a bug".
In all my travels I've only ran across one company, ever, that has Fedora rolled out as an enterprise operating system on every desktop. But what kind of security implications does this have? I obviously don't have to explain why this is (may be) a bad idea to the readers of the ISC, as we are all security minded people.
Now, the restrictions. This change does not affect yum on the command line. This only affects installing things through the GUI. (Not that helps any, as most users will be running the GUI anyway.) You can also disable it.
create a file in:
/var/lib/polkit-1/localauthority/20-org.d (you can name if file anything you want)
and include the following:
[NoUsersInstallAnythingWithoutPassword] Identity=unix-user:someone;unix-user:someone_else Action=org.freedesktop.packagekit.* ResultAny=auth_admin ResultInactive=auth_admin ResultActive=auth_admin
(the above came from the release notes for Fedora 12, found here.
Also, I found this as a solution:
pklalockdown --lockdown org.freedesktop.packagekit.package-install
Currently in the bug, there is some debate about if they should revert this feature. So, this may be just temporary.
UPDATE: After I wrote about this yesterday, an email was sent out to the Fedora Developers List saying that, essentially, have reversed the decision and will now require the root password for the installation of packages. Read the email here. Thanks to the commenters on this post for the update.
-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler
Comments
dsh
Nov 19th 2009
1 decade ago
1. The pklalockdown command is deprecated and can be removed as early as the next package update, i.e., by the time anyone reads this note (or not).
2. "Identity=unix-user:someone" only changes the policy for a person with the UID "someone." If you want (and you *should* want) to change it for everyone (other than root), then you must specify "Identity=unix-user:*"
Allen
Nov 20th 2009
1 decade ago
Hikaru
Nov 20th 2009
1 decade ago
https://www.redhat.com/archives/fedora-devel-list/2009-November/msg01445.html
Hikaru
Nov 20th 2009
1 decade ago