Mailinglist Archive: opensuse (929 mails)

< Previous Next >
Re: [opensuse] Allowing local users to install software via polkit/packagekit results in unsigned packages being installable
  • From: Andreas Seeg <andreas.seeg@xxxxxxxxx>
  • Date: Wed, 12 Mar 2014 22:59:28 +0100
  • Message-id: <5320D8C0.80705@posteo.de>
To get this functionality, we changed a file in
/etc/polkit-1/localauthority and set

ResultActive to yes (instead of auth_admin) for
org.freedesktop.packagekit.package-install -only-. (I'm not 100% sure about
the filename as I have limited access to our test environment right now)


Interesting that this worked, as polkit has dropped the localauthority
backend and only does javascript rules now.
My bad. I just remembered a way to get my hands on our current autoyast-scripts and we aren't actually editing a file in /etc/polkit-1/..., we just do:

echo "org.freedesktop.packagekit.package-install no:no:yes" >> /etc/polkit-default-privs.local
/sbin/set_polkit_default_privs

in a post-script (autoyast).

We aren't adding org.freedesktop.packagekit.package-install-untrusted, though, so from what I gathered on the net users shouldn't be able to install unsigned software, but they are.
(I'm guessing that org.freedesktop.packagekit.package-install shouldn't allow the installation of foreign packages because https://bugzilla.redhat.com/show_bug.cgi?id=534047 describes that it was added as a default in fedora 12 to allow users to install software as non-root, but only from trusted repositories. And because package-install-untrusted wouldn't be very useful if package-install already covered all packages :) )


I have a hard time finding how PackageKit internally decides that its
"untrusted".

I however think that the PackageKit zypp backend might not be reporting this
correctly.
So the zypp backend might wrongfully report the same for packages that are signed, unsigned, or signed with an unknown key, resulting in apper (I'm pretty sure it was apper, but I'll get my facts straight as soon as possible, sorry) installing them because it has no way of knowing that the package is untrusted?

You will probably need to ask our zypp gurus :/
Do they frequent this list, too?

Thanks for your help,

Andreas
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >