Le 27/08/2013 20:17, Stephen Gallagher a écrit :
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/27/2013 01:14 PM, Jehan Procaccia wrote:
I am using Fedora19 on hundred of stations for students, to my
surprise I noticed that anyone connected locally can update all
packages of the station ! the thing is that when the user connect
to the station, there's a notifcation that pops-up saying that
there are updates available accepting to proceed leeds to an update
of all the station packages ;-( apparently cliking on the
notification start gpk-update-viewer (seen that with ps auwx) if
the student tries to issue a yum update on the cli, then he is
refused "You need to be root to perform this command."
we need to maintain an homogenous state of update on all station,
how can I prevent users from update stations themself ? Thanks.
The policy should be that only members of the "wheel" group should be
able to do that. Please file a bug in Bugzilla if you see otherwise
(file it against PackageKit).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlIc7SkACgkQeiVVYja6o6OrxACeL1zNy3xWxugLhwULgjaUXmTW
ayYAoKbvmLK2t1WHBFGluj4RSY6MNqDI
=f5hL
-----END PGP SIGNATURE-----
I noticed that /etc/polkit-1/rules.d/50-default.rules
contains :
polkit.addAdminRule(function(action, subject) {
return ["*unix-group:wheel*"];
perhaps that's why it is authorized to any logged in users !?
I've been told on irc #fedora to set this
[root@b02-02 rules.d]# cat 60-require-packagekit-update-adminpassword.rules
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.packagekit.system-update") {
return polkit.Result.AUTH_ADMIN;
}
});
it works, I mean after gpk-update-viewer is started, resolved
dependencies, when about to install it show a Error pop-up " Failed to
obtain authentication."
at least that does what I expected in the first place, unprivileged
users cannot update the system !
perhaps there's a better way to handle this, if you have an idea, let me
know
but I think I can push that file to my hundred fedora19 stations,
hopefully I use cfengine to automate this .
thanks
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
