Hello Seth,
I can now confirm that it does not matter if the test users are in no
groups.
The issue persists.
Lines 49 to 56 in the link I provided earlier describe the package-
install-untrusted action which should be triggered when installing local
packages:
<action id="org.freedesktop.packagekit.package-install-untrusted">
<!-- SECURITY:
- Normal users require admin authentication to install untrusted or
unrecognised packages, as allowing users to do this without a
password would be a massive security hole.
- This is not retained as each package should be authenticated.
-->
<description>Install untrusted local file</description>
AFAIK this works as intended with other than aptcc backends, eg in Red Hat.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to packagekit in Ubuntu.
https://bugs.launchpad.net/bugs/1882098
Title:
Packagekit lets user install untrusted local packages in Bionic and
Focal
Status in packagekit package in Ubuntu:
New
Bug description:
We have packagekit configured to allow users to install trusted
packages from preconfigured repositories, but disallowed them to
install any untrusted packages.
The policykit configuration we use is following:
[tld.univ.packagekit]
Identity=unix-group:adm;
Action=org.freedesktop.packagekit.package-install;org.freedesktop.packagekit.package-reinstall;org.freedesktop.packagekit.package-remove;org.freedesktop.packagekit.system-sources-refresh;org.freedesktop.packagekit.system-update;org.freedesktop.packagekit.repair-system;
ResultAny=auth_self
ResultActive=auth_self
ResultInactive=auth_self
[tld.univ.packagekit-deny]
Identity=unix-user:*;
Action=org.freedesktop.packagekit.package-install-untrusted;
ResultAny=no
We would expect this to prevent users from installing local packages
downloaded from random repositories, however this does not seem to be
the case.
pkcon install-local random_package.deb will happily prompt for the
user to authenticate and will install the package, while pkcon
--allow-untrusted install-local random_package.deb will prompt for
root password, which the user does not have.
Our initial toughts was that the issue would be in packagekitd, but
after further investigations it looks like the issue could be in aptcc
backend.
We are more than happy to provide you with further details, but the
above should be enough to reproduce the issue.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1882098/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
