On Fri, 2015-05-15 at 18:23 +0000, Thiyagarajan, Nethaji wrote:
> Hello Michael,
>
> The fix you gave for the non-admin update the rule on May 13th (see
> below) does not work. After placing a file in the path /etc/polkit
> -1/rules.d/ and rebooting the system, standard user can still do the
> update. This included everything installed on the system. So a non
> -admin can modify the '/' folder when the updates are available.
>
> polkit.addRule(function(action, subject) {
> if (action.id == "org.freedesktop.packagekit.system-update") {
> return polkit.Result.AUTH_ADMIN;
> }
> });
>
> Nethaji
Hi Nethaji,
I tested this today with pkcon and it worked for me. The unprivileged
user is able to list updates, but as soon as he attempts to apply the
updates an authentication prompt appears. I'm not sure why it didn't
work for you. I named my file 60-updates.rules; perhaps if the file is
sorted too low it won't work?
I will make one amendment: we should prohibit offline updates as well:
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.packagekit.system-update" ||
action.id == "org.freedesktop.packagekit.trigger-offline
-update") {
return polkit.Result.AUTH_ADMIN;
}
});
Michael
--
desktop mailing list
desktop@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/desktop
