Does the new Fedora package manager allow unauthorized installations?

Question

I just upgraded to Fedora 22. The biggest change from the previous version is that the yum package manager is now replaced with dnf. One change I've noticed is that if you try to execute a command that comes from a common package which is not yet installed, the terminal will prompt you to install that package. For example:

[wbarlow@wbarlow-thinkpad src]$ ar
bash: ar: command not found...
Install package 'binutils' to provide command 'ar'? [N/y] y


 * Waiting in queue... 
 * Waiting in queue... 
 * Waiting for authentication... 
 * Waiting in queue... 
 * Downloading packages... 
 * Requesting data... 
 * Testing changes... 
 * Installing packages... 
Usage: ar [emulation options] [-]{dmpqrstx}[abcDfilMNoPsSTuvV] [--plugin <name>] [member-name] [count] archive-file file...
       ar -M [<mri-script]
 commands:
  d            - delete file(s) from the archive
  m[ab]        - move file(s) in the archive
  p            - print file(s) found in the archive
  q[f]         - quick append file(s) to the archive
  r[ab][f][u]  - replace existing or insert new file(s) into the archive
  s            - act as ranlib
  t            - display contents of archive
  x[o]         - extract file(s) from the archive
 command specific modifiers:
  [a]          - put file(s) after [member-name]
  [b]          - put file(s) before [member-name] (same as [i])
  [D]          - use zero for timestamps and uids/gids (default)
  [U]          - use actual timestamps and uids/gids
  [N]          - use instance [count] of name
  [f]          - truncate inserted file names
  [P]          - use full path names when matching
  [o]          - preserve original dates
  [u]          - only replace files that are newer than current archive contents
 generic modifiers:
  [c]          - do not warn if the library had to be created
  [s]          - create an archive index (cf. ranlib)
  [S]          - do not build a symbol table
  [T]          - make a thin archive
  [v]          - be verbose
  [V]          - display the version number
  @<file>      - read options from <file>
  --target=BFDNAME - specify the target object format as BFDNAME
 optional:
  --plugin <p> - load the specified plugin
 emulation options: 
  No emulation specific options
ar: supported targets: elf64-x86-64 elf32-i386 elf32-x86-64 a.out-i386-linux pei-i386 pei-x86-64 elf64-l1om elf64-k1om elf64-little elf64-big elf32-little elf32-big plugin srec symbolsrec verilog tekhex binary ihex

In this entire process, I was never asked for a password, and yet I would have had to use an elevated account in order to run dnf install binutils. What is the difference between the installation above and a dnf install installation? Why does one require an elevated permission and the other does not? Is this a security hole?

Couldn't find anything good. Some links though. (1) [An old Fedora 14 bug about this](https://bugzilla.redhat.com/show_bug.cgi?id=573499). (2) [Entry in Fedora Wiki](https://fedoraproject.org/wiki/Features/PackageKitCommandNotFound). (3) [Entry in Fedora packages page](https://apps.fedoraproject.org/packages/PackageKit-command-not-found/overview/) — StackzOfZtuff, Jun 18 '15 at 04:45
@kasperd yes, i am. this is a mostly brand-new installation with not much in the way of custom configuration. — Woodrow Barlow, Jun 22 '15 at 16:14

score 3 · Answer 1 · answered Jun 18 '15 at 15:33

3

I would suggest that you try to reproduce this. Most likely, you already had an authenticated session and your system remembered it due to the keyring. A great way to test would be immediately after a reboot.

aditya@20:54:20:~$ nano
bash: nano: command not found...
Install package 'nano' to provide command 'nano'? [N/y] y


 * Waiting in queue... 
 * Loading list of packages.... 
 * Downloading details about the software sources.... 
 * Loading list of packages.... 
 * Waiting in queue... 
 * Waiting for authentication... Failed to install packages: Failed to obtain authentication.

Disclaimer: I am a Fedora user and contributor.

answered Jun 18 '15 at 15:33

Aditya Patawari

231
1
4

here's what i just did: `sudo dnf remove nano` `reboot` `nano`, and i was presented with the "install package 'nano' [...]" message. i typed 'y' and it installed without my password. – Woodrow Barlow Jun 18 '15 at 16:53
are you using the new dnf package manager? – Woodrow Barlow Jun 18 '15 at 16:54
yes. I am using dnf on fedora 22 – Aditya Patawari Jun 19 '15 at 10:56
well, if you're not experiencing it, i guess i have a local configuration issue. :/ – Woodrow Barlow Jun 19 '15 at 13:54
@WoodrowBarlow: any changes to your sudoers file from default? – Jeff Ferland Jun 19 '15 at 21:59
@Jeff nope, this is more or less a brand new installation. i am using the guake terminal instead of the standard distribution's, but i can't imagine that makes a difference. – Woodrow Barlow Jun 20 '15 at 08:14
unless something else comes up before the bounty ends, i'm going to mark this answer and award the bounty, since it seems to be a configuration problem on my end (which is what this answer is implying). – Woodrow Barlow Jun 22 '15 at 16:16
i am un-marking this as an accepted answer because this question has received recent attention and i continue to see the behavior in fresh installs of fedora 22, 23, and 24. – Woodrow Barlow Nov 29 '16 at 21:20

Woodrow Barlow · Accepted Answer · 2019-12-04T14:59:19.017

This question continues to receive occasional visits and upvotes, and I see that a few of the answers contain parts of the true answer, so I am creating a wiki answer that stitches it all together. A similar question has since been asked and answered at Unix.SE.

According to RH# 1225788, this is intended behavior:

It's by design that admin users (in the wheel group) can install software without having to enter a password. See https://pagure.io/fesco/issue/1115#comment-27002 and the discussion in the ticket for background information.

This behavior can be changed by commenting out the following lines in /usr/share/polkit-1/rules.d/org.freedesktop.packagekit.rules:

polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.packagekit.package-install" &&
        subject.active == true && subject.local == true &&
        subject.isInGroup("wheel")) {
            return polkit.Result.YES;
    }
});

score 1 · Answer 3 · answered Nov 07 '15 at 09:29

when creating the first user (Fedora installation), you can choose to set a special checkbox ("admin" or similar). If set, the created user is given some special authorizations by some polkit-rules (man polkit).

I think this is done by simply adding the user to the "wheel"-group. So if you want to change that behaviour, try "system-config-users" and add/remove the group "wheel".

score -2 · Answer 4 · edited Apr 13 '17 at 12:37

-2

I had the same problem and looked for a solution for a long time. Finally I solved it; the solution is the answer to this question: Unauthorized Installations in dnf after entering a command that's not found

I had to comment out some lines in

/usr/share/polkit-1/rules.d/org.freedesktop.packagekit.rules

Once I did that, bash was forced to show a dialog box during the authentication phase.

edited Apr 13 '17 at 12:37

Community

1

answered Nov 25 '16 at 09:52

Mayank Verma

101
2

3

While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. - [From Review](/review/low-quality-posts/89301) – S.L. Barth Nov 25 '16 at 11:16
That link contains my question with my answer. If I update anything, it'll be a better answer – Mayank Verma Nov 25 '16 at 11:17
3

I see. For the record, that comment is an automated comment. Your answer is currently in the "Low Quality" queue, and in danger of being deleted. The best thing to do is to [edit] the answer so that it is still useful if the link dies. People here like to have answers that stand on themselves, and don't require them to follow a link. (Might be why your answer got downvoted, as it seems to be technically relevant). – S.L. Barth Nov 25 '16 at 11:23

Does the new Fedora package manager allow unauthorized installations?

4 Answers4