Fedora 22 update security

Thu May 14 09:38:54 UTC 2015

I checked my sudoers file and the user's group. I am confident that the
user is a standard user and not a sudoer or in the wheel group.

I have been following the discussions on this and would like to comment
on a few

1. I prefer KDE over Gnome. So on Fedora 20 I used kdm using my
kickstart.

2. I upgraded to Fedora 21 and to 22 using the fedup tool, which
requires one to mention what product they want. So I mentioned the
product 'workstation', which got installed and I got a whole new
display, that I do not like. I revert to KDE Plasma workspace.

3. The most important thing about this discussion is whether allow
non-admin users to do system update or not. I WOULD PREFER NON-ADMIN
USERS NOT TO GET THESE RIGHTS.

The reason is that I have had a serious issue from kernel update 3.16 to
3.19. The way they mount the CIFS share, I am still not able to
understand certain behaviour. This is definitely not acceptable in a
multi-user environment where the clients use LDAP, CIFS or NIS or any
such remote server for login or folder authentication.

A standard user performing the updates would violate these settings and
the system would not perform as expected or at least set by the system
administrator. This means there is more work for system administrator
and if cannot find a fix, then have to wait for a fix in the next
release or as the discussion goes, there might not be any fix at all.

I usually test the updates on a system and make sure that it does not
affect any normal use. Then I update it for every user or every client
machines.

I do not understand which system administrator did not want an
authentication or confirmation before installing updates. This could be
TRUE only when the system administrator is logged into the system in GUI
mode or on a terminal using 'su' command.

All I request is to give an option at least during the install or in
kickstart to add a line that will say whether all users can install the
system updates (whether offline or live) or not. So, it is then the
admin's responsibility to deal with it.

This should come during the installation setup, where the installation
source, admin password and other details are setup.

Thanks
Nethaji

On Thu, 2015-05-14 at 07:21 +0100, Richard Hughes wrote:
> On 14 May 2015 at 01:57, Michael Catanzaro <mcatanzaro at gnome.org> wrote:
> > It never even occurred to me that we might make this change downstream,
> > since we make changes upstream whenever we can. PackageKit is
> > maintained by a Fedora developer (Richard Hughes) so it's natural that
> > the default settings are what Fedora wants them to be.
> 
> I'm certainly hope I'm a friendly upstream, and it's true that I want
> to ship sane policy by default. It doesn't mean upstream *has* to bend
> and flex to every diktat from FESCo. If someone can explain to me in
> an upstream bug why changing the policy would be more secure for users
> then I'll happily change it for the next release. I'm not horribly
> keen on the "lock down by default" arguments, as PackageKit upstream
> is at targeting these users
> http://www.freedesktop.org/software/PackageKit/pk-profiles.html
> 
> Richard