Hello Michael,
The fix you gave for the non-admin update the rule on May 13th (see below) does not work. After placing a file in the path /etc/polkit-1/rules.d/ and rebooting the system, standard user can still do the update. This included everything installed on the system. So a non-admin can modify the '/' folder when the updates are available.
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.packagekit.system-update") {
return polkit.Result.AUTH_ADMIN;
}
});
Nethaji
________________________________________
From: desktop-bounces@xxxxxxxxxxxxxxxxxxxxxxx <desktop-bounces@xxxxxxxxxxxxxxxxxxxxxxx> on behalf of Chris Murphy <lists@xxxxxxxxxxxxxxxxx>
Sent: 15 May 2015 03:39
To: Discussions about development for the Fedora desktop
Subject: Re: Fedora 22 update security
On Thu, May 14, 2015 at 12:21 AM, Richard Hughes <hughsient@xxxxxxxxx> wrote:
> On 14 May 2015 at 01:57, Michael Catanzaro <mcatanzaro@xxxxxxxxx> wrote:
>> It never even occurred to me that we might make this change downstream,
>> since we make changes upstream whenever we can. PackageKit is
>> maintained by a Fedora developer (Richard Hughes) so it's natural that
>> the default settings are what Fedora wants them to be.
>
> I'm certainly hope I'm a friendly upstream, and it's true that I want
> to ship sane policy by default. It doesn't mean upstream *has* to bend
> and flex to every diktat from FESCo. If someone can explain to me in
> an upstream bug why changing the policy would be more secure for users
> then I'll happily change it for the next release. I'm not horribly
> keen on the "lock down by default" arguments, as PackageKit upstream
> is at targeting these users
> http://www.freedesktop.org/software/PackageKit/pk-profiles.html
Suzan should be a standard user, not admin, her brother is admin and
does OS updates, she shouldn't be able to initiate them. She can
install apps from approved sources and update them.
Brevan is admin of his own computer and can do whatever he wants.
Graham should not be using Fedora. But if he is, he's a standard user.
He can install software from approved sources, and those applications
can be updated. OS updates are off limits, his son will have to do
that for him.
And I'm saying this as an OS X user, with parents with OS X systems.
They can install app store and signed applications. I *think* they can
do drag and drop application installs for their user only, I haven't
tested that in a while. But they definitely can't do system updates. I
do that. And OS X system updates are 1-2 orders magnitude more stable
and sane than Windows updates, in my estimation. There is absolutely
zero possibility I'd subject Suzan, Graham, or my parents to automatic
OS updates, be it Windows, OS X or Fedora.
--
Chris Murphy
--
desktop mailing list
desktop@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/desktop
--
desktop mailing list
desktop@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/desktop
