Re: Fedora 22 update security

"Thiyagarajan, Nethaji" <n.thiyagarajan@xxxxxxxxx> · Sat, 16 May 2015 08:02:25 +0000

Hi Michael,

I will update this thread when the new update becomes available 
Thanks
 Nethaji 
________________________________________
From: desktop-bounces@xxxxxxxxxxxxxxxxxxxxxxx <desktop-bounces@xxxxxxxxxxxxxxxxxxxxxxx> on behalf of Thiyagarajan, Nethaji <n.thiyagarajan@xxxxxxxxx>
Sent: 16 May 2015 08:25
To: Discussions about development for the Fedora desktop
Subject: Re: Fedora 22 update security

Hi Michael,

Apologies.

The rule file I named as 51-autoupdate.rules. I realized that the comment line should not be #, which I had in my previous file. I had put who sent the rules in the file as a comment.

I have now changed the comment line and updated with the new rule you sent.

Many Thanks
Nethaji
________________________________________
From: desktop-bounces@xxxxxxxxxxxxxxxxxxxxxxx <desktop-bounces@xxxxxxxxxxxxxxxxxxxxxxx> on behalf of Michael Catanzaro <mcatanzaro@xxxxxxxxx>
Sent: 15 May 2015 22:46
To: Discussions about development for the Fedora desktop
Subject: Re: Fedora 22 update security

On Fri, 2015-05-15 at 18:23 +0000, Thiyagarajan, Nethaji wrote:
> Hello Michael,
>
> The fix you gave for the non-admin update the rule on May 13th (see
> below) does not work. After placing a file in the path /etc/polkit
> -1/rules.d/ and rebooting the system, standard user can still do the
> update. This included everything installed on the system. So a non
> -admin can modify the '/' folder when the updates are available.
>
> polkit.addRule(function(action, subject) {
>     if (action.id == "org.freedesktop.packagekit.system-update") {
>         return polkit.Result.AUTH_ADMIN;
>     }
> });
>
> Nethaji

Hi Nethaji,

I tested this today with pkcon and it worked for me. The unprivileged
user is able to list updates, but as soon as he attempts to apply the
updates an authentication prompt appears. I'm not sure why it didn't
work for you. I named my file 60-updates.rules; perhaps if the file is
sorted too low it won't work?

I will make one amendment: we should prohibit offline updates as well:

polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.packagekit.system-update" ||
        action.id == "org.freedesktop.packagekit.trigger-offline
-update") {
        return polkit.Result.AUTH_ADMIN;
    }
});

Michael

--
desktop mailing list
desktop@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/desktop
--
desktop mailing list
desktop@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/desktop
-- 
desktop mailing list
desktop@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/desktop