Fedora 12 lets unprivileged users install packages
Fedora 12 lets unprivileged users install packages
[Distributions] Posted Nov 18, 2009 23:42 UTC (Wed) by corbet
Fedora bug #534047 contains an interesting Fedora 12 surprise: "PackageKit allows you to install signed content from signed repositories
without a password by default. It only asks you to authenticate if anything is
unsigned or the signatures are wrong.
" So any user can install any package found in the official repository. Some Fedora developers, at least, seem to see this as a feature; see this rapidly-growing thread for the discussion.
The bug report contains the incantation needed to disable this behavior:
pklalockdown --lockdown org.freedesktop.packagekit.package-install
Evidently that is not a long-term solution, though; see this post for a rather more involved fix. Stay tuned: we'll probably post a longer look at this issue in the near future.