Fedora to allow the installation of packages, without root privileges?

Published: 2009-11-19
Last Updated: 2009-11-20 13:43:09 UTC
by Joel Esler (Version: 2)
4 comment(s)

A "bug" created back in November against the latest Fedora release (12) indicates that, through the GUI, desktop users of the Fedora system are able to install signed packages without root privileges or root authentication.  Yes, you just read that correctly.  (I'll give you a second re-read that sentence so I don't have to retype it.)  Yes, "it's a feature, not a bug".

In all my travels I've only ran across one company, ever, that has Fedora rolled out as an enterprise operating system on every desktop.  But what kind of security implications does this have?  I obviously don't have to explain why this is (may be) a bad idea to the readers of the ISC, as we are all security minded people.  

Now, the restrictions.  This change does not affect yum on the command line.  This only affects installing things through the GUI.  (Not that helps any, as most users will be running the GUI anyway.)  You can also disable it.

create a file in:

/var/lib/polkit-1/localauthority/20-org.d  (you can name if file anything you want)

and include the following:

[NoUsersInstallAnythingWithoutPassword]
Identity=unix-user:someone;unix-user:someone_else
Action=org.freedesktop.packagekit.*
ResultAny=auth_admin
ResultInactive=auth_admin
ResultActive=auth_admin

 

(the above came from the release notes for Fedora 12, found here.  

Also, I found this as a solution:

pklalockdown --lockdown org.freedesktop.packagekit.package-install

Currently in the bug, there is some debate about if they should revert this feature.  So, this may be just temporary.  

 

UPDATE:  After I wrote about this yesterday, an email was sent out to the Fedora Developers List saying that, essentially, have reversed the decision and will now require the root password for the installation of packages.  Read the email here.  Thanks to the commenters on this post for the update.

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler

Keywords:
4 comment(s)

Comments

Remarkable that it wouldn't at least be turned off by default, feature or not.
Two notes.

1. The pklalockdown command is deprecated and can be removed as early as the next package update, i.e., by the time anyone reads this note (or not).

2. "Identity=unix-user:someone" only changes the policy for a person with the UID "someone." If you want (and you *should* want) to change it for everyone (other than root), then you must specify "Identity=unix-user:*"
Personally I'm frightened by the fact that red hat is arguing for this feature as it is currently implemented long and at length in the huge comment tree for this bug (as well as mailing list thread talking about this) - This should have been default off, from the beginning.
This seems to have been changed to require the root password in this latest email.
https://www.redhat.com/archives/fedora-devel-list/2009-November/msg01445.html

Diary Archives