On Thu, Aug 25 2022 at 11:20:46 AM -, Sandipan Roy
wrote:
By this vulnerability any wheel user can install any packages without
root access or sudo.
Hi, this is actually by design and not a vulnerability. The wheel user
is definitionally an administrator user, and can escalate from wheel
On 25/08/2022 13:20, Sandipan Roy wrote:
I'm Sandipan Roy [FAS: ByteHackr], I wanted to share a serious system wide
problem with PackageKit-command-not-found [1] package.
Not a bug, but a feature. Members of the wheel group, also known as
"admin users", can install any packages using PackageK
Some CVEs are appeared because of this issue,
Details + Analysis found at:
https://sysdream.com/abusing-packagekit-fedora-centos-for/
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.o
Wheel user rule for packagekit
$ sudo cat /usr/share/polkit-1/rules.d/org.freedesktop.packagekit.rules
[sudo] password for sandipan:
polkit.addRule(function(action, subject) {
if ((action.id == "org.freedesktop.packagekit.package-install" ||
action.id == "org.freedesktop.packagekit.p
Hello World,
I'm Sandipan Roy [FAS: ByteHackr], I wanted to share a serious system wide
problem with PackageKit-command-not-found [1] package.
Can you guys give some feedback if I can submit a system wide change proposal
to remove this because its a poor system design.
By this vulnerability any
