Fedora 22 update security

Michael Catanzaro mcatanzaro at gnome.org
Fri May 15 21:46:14 UTC 2015


On Fri, 2015-05-15 at 18:23 +0000, Thiyagarajan, Nethaji wrote:
> Hello Michael,
> 
> The fix you gave for the non-admin update the rule on May 13th (see 
> below) does not work. After placing a file in the path /etc/polkit
> -1/rules.d/ and rebooting the system, standard user can still do the 
> update. This included everything installed on the system. So a non
> -admin can modify the '/' folder when the updates are available.
> 
> polkit.addRule(function(action, subject) {
>     if (action.id == "org.freedesktop.packagekit.system-update") {
>         return polkit.Result.AUTH_ADMIN;
>     }
> });
> 
> Nethaji


Hi Nethaji,

I tested this today with pkcon and it worked for me. The unprivileged
user is able to list updates, but as soon as he attempts to apply the
updates an authentication prompt appears. I'm not sure why it didn't
work for you. I named my file 60-updates.rules; perhaps if the file is
sorted too low it won't work?

I will make one amendment: we should prohibit offline updates as well:

polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.packagekit.system-update" ||
        action.id == "org.freedesktop.packagekit.trigger-offline
-update") {
        return polkit.Result.AUTH_ADMIN;
    }
});

Michael



More information about the desktop mailing list