Re: unprivileged users can update the system !

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 08/28/2013 03:44 AM, Jehan Procaccia wrote:
> Le 27/08/2013 20:17, Stephen Gallagher a écrit :
> On 08/27/2013 01:14 PM, Jehan Procaccia wrote:
>>>> I am using Fedora19 on hundred of stations for students, to my
>>>> surprise I noticed that anyone connected locally can update all
>>>> packages of the station ! the thing is that when the user connect
>>>> to the station, there's a notifcation that pops-up saying that
>>>> there are updates available accepting to proceed leeds to an update
>>>> of all the station packages ;-( apparently cliking on the
>>>> notification start gpk-update-viewer (seen that with ps auwx) if
>>>> the student tries to issue a yum update on the cli, then he is 
>>>> refused "You need to be root to perform this command."
>>>>
>>>> we need to maintain an homogenous state of update on all station,
>>>> how can I prevent users from update stations themself ? Thanks.
>>>>
> The policy should be that only members of the "wheel" group should be
> able to do that. Please file a bug in Bugzilla if you see otherwise
> (file it against PackageKit).
> I noticed that /etc/polkit-1/rules.d/50-default.rules
> contains :
> polkit.addAdminRule(function(action, subject) {
>     return ["*unix-group:wheel*"];
> 
> perhaps that's why it is authorized to any logged in users !?
> 
> I've been told on irc #fedora to set this
> [root@b02-02 rules.d]# cat 60-require-packagekit-update-adminpassword.rules
> polkit.addRule(function(action, subject) {
>   if (action.id == "org.freedesktop.packagekit.system-update") {
>       return polkit.Result.AUTH_ADMIN;
>   }
> });
> 
> it works, I mean after gpk-update-viewer is started, resolved
> dependencies, when about to install it show a Error pop-up " Failed to
> obtain authentication."
> at least that does what I expected in the first place, unprivileged
> users cannot update the system !
> perhaps there's a better way to handle this, if you have an idea, let me
> know
> but I think I can push that file to my hundred fedora19 stations,
> hopefully I use cfengine to automate this .
> thanks
> 
> 
> 

Did you file a Bug for the issue, or get any reference to an existing
Bug number ?

Please do file a Bug if one does not exist currently for the reported issue.

-- 
Regards,

Rejy M Cyriac (rmc)
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux