Fedora 12 lets unprivileged users install packages
[Distributions] Posted Nov 18, 2009 23:42 UTC (Wed) by corbet
Fedora bug #534047 contains an interesting Fedora 12 surprise: "PackageKit allows you to install signed content from signed repositories
without a password by default. It only asks you to authenticate if anything is
unsigned or the signatures are wrong." So any user can install any package found in the official repository. Some Fedora developers, at least, seem to see this as a feature; see this rapidly-growing thread for the discussion.
The bug report contains the incantation needed to disable this behavior:
pklalockdown --lockdown org.freedesktop.packagekit.package-install
Evidently that is not a long-term solution, though; see this post for a rather more involved fix.
Stay tuned: we'll probably post a longer look at this issue in the near future.
Comments (109 posted)