I found out the cause for this, but other backends are affected too probably - basically the packagekit daemon assumes that packages can be trusted themselves, so backends that do not have trust information in packages need to explicitly reject local packages as untrusted, so that PackageKit reprompts for trusted.
I'm not sure how to proceed there - I can come up with a fix for aptcc, but upstream can't put in the work for other backends, but then releasing just an apt fix while other backends are vulnerable would not be a good call either. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to packagekit in Ubuntu. https://bugs.launchpad.net/bugs/1882098 Title: Packagekit lets user install untrusted local packages in Bionic and Focal Status in packagekit package in Ubuntu: Triaged Bug description: We have packagekit configured to allow users to install trusted packages from preconfigured repositories, but disallowed them to install any untrusted packages. The policykit configuration we use is following: [tld.univ.packagekit] Identity=unix-group:adm; Action=org.freedesktop.packagekit.package-install;org.freedesktop.packagekit.package-reinstall;org.freedesktop.packagekit.package-remove;org.freedesktop.packagekit.system-sources-refresh;org.freedesktop.packagekit.system-update;org.freedesktop.packagekit.repair-system; ResultAny=auth_self ResultActive=auth_self ResultInactive=auth_self [tld.univ.packagekit-deny] Identity=unix-user:*; Action=org.freedesktop.packagekit.package-install-untrusted; ResultAny=no We would expect this to prevent users from installing local packages downloaded from random repositories, however this does not seem to be the case. pkcon install-local random_package.deb will happily prompt for the user to authenticate and will install the package, while pkcon --allow-untrusted install-local random_package.deb will prompt for root password, which the user does not have. Our initial toughts was that the issue would be in packagekitd, but after further investigations it looks like the issue could be in aptcc backend. We are more than happy to provide you with further details, but the above should be enough to reproduce the issue. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1882098/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
