Re: unprivileged users can update the system !

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Le 27/08/2013 20:17, Stephen Gallagher a écrit :
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/27/2013 01:14 PM, Jehan Procaccia wrote:

I am using Fedora19 on hundred of stations for students, to my
surprise I noticed that anyone connected locally can update all
packages of the station ! the thing is that when the user connect
to the station, there's a notifcation that pops-up saying that
there are updates available accepting to proceed leeds to an update
of all the station packages ;-( apparently cliking on the
notification start gpk-update-viewer (seen that with ps auwx) if
the student tries to issue a yum update on the cli, then he is 
refused "You need to be root to perform this command."

we need to maintain an homogenous state of update on all station,
how can I prevent users from update stations themself ? Thanks.


The policy should be that only members of the "wheel" group should be
able to do that. Please file a bug in Bugzilla if you see otherwise
(file it against PackageKit).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlIc7SkACgkQeiVVYja6o6OrxACeL1zNy3xWxugLhwULgjaUXmTW
ayYAoKbvmLK2t1WHBFGluj4RSY6MNqDI
=f5hL
-----END PGP SIGNATURE-----
I noticed that /etc/polkit-1/rules.d/50-default.rules
contains :
polkit.addAdminRule(function(action, subject) {
    return ["unix-group:wheel"];

perhaps that's why it is authorized to any logged in users !?

I've been told on irc #fedora to set this
[root@b02-02 rules.d]# cat 60-require-packagekit-update-adminpassword.rules
polkit.addRule(function(action, subject) {
  if (action.id == "org.freedesktop.packagekit.system-update") {
      return polkit.Result.AUTH_ADMIN;
  }
});

it works, I mean after gpk-update-viewer is started, resolved dependencies, when about to install it show a Error pop-up " Failed to obtain authentication."
at least that does what I expected in the first place, unprivileged users cannot update the system !
perhaps there's a better way to handle this, if you have an idea, let me know
but I think I can push that file to my hundred fedora19 stations, hopefully I use cfengine to automate this .
thanks

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux