unprivileged users can update the system !

Jehan Procaccia jehan.procaccia at tem-tsp.eu
Tue Aug 27 22:14:37 UTC 2013 

Le 27/08/2013 20:17, Stephen Gallagher a écrit :
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 08/27/2013 01:14 PM, Jehan Procaccia wrote:
>> I am using Fedora19 on hundred of stations for students, to my
>> surprise I noticed that anyone connected locally can update all
>> packages of the station ! the thing is that when the user connect
>> to the station, there's a notifcation that pops-up saying that
>> there are updates available accepting to proceed leeds to an update
>> of all the station packages ;-( apparently cliking on the
>> notification start gpk-update-viewer (seen that with ps auwx) if
>> the student tries to issue a yum update on the cli, then he is
>> refused "You need to be root to perform this command."
>>
>> we need to maintain an homogenous state of update on all station,
>> how can I prevent users from update stations themself ? Thanks.
>>
> The policy should be that only members of the "wheel" group should be
> able to do that. Please file a bug in Bugzilla if you see otherwise
> (file it against PackageKit).
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.14 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAlIc7SkACgkQeiVVYja6o6OrxACeL1zNy3xWxugLhwULgjaUXmTW
> ayYAoKbvmLK2t1WHBFGluj4RSY6MNqDI
> =f5hL
> -----END PGP SIGNATURE-----
I noticed that /etc/polkit-1/rules.d/50-default.rules
contains :
polkit.addAdminRule(function(action, subject) {
     return ["*unix-group:wheel*"];

perhaps that's why it is authorized to any logged in users !?

I've been told on irc #fedora to set this
[root at b02-02 rules.d]# cat 60-require-packagekit-update-adminpassword.rules
polkit.addRule(function(action, subject) {
   if (action.id == "org.freedesktop.packagekit.system-update") {
       return polkit.Result.AUTH_ADMIN;
   }
});

it works, I mean after gpk-update-viewer is started, resolved 
dependencies, when about to install it show a Error pop-up " Failed to 
obtain authentication."
at least that does what I expected in the first place, unprivileged 
users cannot update the system !
perhaps there's a better way to handle this, if you have an idea, let me 
know
but I think I can push that file to my hundred fedora19 stations, 
hopefully I use cfengine to automate this .
thanks

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20130828/5570d716/attachment.html>

More information about the users mailing list