Mailinglist Archive: opensuse (929 mails)

< Previous Next >
Re: [opensuse] Allowing local users to install software via polkit/packagekit results in unsigned packages being installable
On Wed, Mar 12, 2014 at 04:58:42PM +0100, Andreas Seeg wrote:
Dear list-subscribers,

my fellow IT administrators and I are considering the option of allowing
our users to install additional software present in already added, official
repositories or software that is signed with already trusted keys. We are
in the process of updating all clients to openSUSE 13.1.

To get this functionality, we changed a file in
/etc/polkit-1/localauthority and set

ResultActive to yes (instead of auth_admin) for
org.freedesktop.packagekit.package-install -only-. (I'm not 100% sure about
the filename as I have limited access to our test environment right now)


Interesting that this worked, as polkit has dropped the localauthority
backend and only does javascript rules now.



We changed nothing for
org.freedesktop.packagekit.package-install-untrusted, leaving it to ask for
the root password before installing "untrusted" software (as far as I
understood polkit).


I have a hard time finding how PackageKit internally decides that its
"untrusted".

I however think that the PackageKit zypp backend might not be reporting this
correctly.

I'm not entirely sure what to do at this point to circle in on the problem.
We don't want users (or exploits...) to be able to install unsigned
packages. As we are using autoyast, we aren't ruling out that our current
autoyast.xml-file might alter some opensuse settings permanently, but from
our understanding, settings described there should only apply to the
"live-system" used to install the system.

You will probably need to ask our zypp gurus :/

Any pointers are greatly appreciated, especially to official documentation
for packagekit/polkit if they describe install-packages and
install-packages-untrusted in detail.

The exact meaning seems lacking.

Ciao, Marcus
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups
References