unprivileged users can update the system !
Rejy M Cyriac
rcyriac at redhat.com
Wed Aug 28 03:35:09 UTC 2013
On 08/28/2013 03:44 AM, Jehan Procaccia wrote:
> Le 27/08/2013 20:17, Stephen Gallagher a écrit :
> On 08/27/2013 01:14 PM, Jehan Procaccia wrote:
>>>> I am using Fedora19 on hundred of stations for students, to my
>>>> surprise I noticed that anyone connected locally can update all
>>>> packages of the station ! the thing is that when the user connect
>>>> to the station, there's a notifcation that pops-up saying that
>>>> there are updates available accepting to proceed leeds to an update
>>>> of all the station packages ;-( apparently cliking on the
>>>> notification start gpk-update-viewer (seen that with ps auwx) if
>>>> the student tries to issue a yum update on the cli, then he is
>>>> refused "You need to be root to perform this command."
>>>>
>>>> we need to maintain an homogenous state of update on all station,
>>>> how can I prevent users from update stations themself ? Thanks.
>>>>
> The policy should be that only members of the "wheel" group should be
> able to do that. Please file a bug in Bugzilla if you see otherwise
> (file it against PackageKit).
> I noticed that /etc/polkit-1/rules.d/50-default.rules
> contains :
> polkit.addAdminRule(function(action, subject) {
> return ["*unix-group:wheel*"];
>
> perhaps that's why it is authorized to any logged in users !?
>
> I've been told on irc #fedora to set this
> [root at b02-02 rules.d]# cat 60-require-packagekit-update-adminpassword.rules
> polkit.addRule(function(action, subject) {
> if (action.id == "org.freedesktop.packagekit.system-update") {
> return polkit.Result.AUTH_ADMIN;
> }
> });
>
> it works, I mean after gpk-update-viewer is started, resolved
> dependencies, when about to install it show a Error pop-up " Failed to
> obtain authentication."
> at least that does what I expected in the first place, unprivileged
> users cannot update the system !
> perhaps there's a better way to handle this, if you have an idea, let me
> know
> but I think I can push that file to my hundred fedora19 stations,
> hopefully I use cfengine to automate this .
> thanks
>
>
>
Did you file a Bug for the issue, or get any reference to an existing
Bug number ?
Please do file a Bug if one does not exist currently for the reported issue.
--
Regards,
Rejy M Cyriac (rmc)
More information about the users
mailing list