*** This bug is a security vulnerability ***
You have been subscribed to a public security bug by Seth Arnold (seth-arnold):
We have packagekit configured to allow users to install trusted packages
from preconfigured repositories, but disallowed them to install any
untrusted packages.
The policykit configuration we use is following:
[tld.univ.packagekit]
Identity=unix-group:adm;
Action=org.freedesktop.packagekit.package-install;org.freedesktop.packagekit.package-reinstall;org.freedesktop.packagekit.package-remove;org.freedesktop.packagekit.system-sources-refresh;org.freedesktop.packagekit.system-update;org.freedesktop.packagekit.repair-system;
ResultAny=auth_self
ResultActive=auth_self
ResultInactive=auth_self
[tld.univ.packagekit-deny]
Identity=unix-user:*;
Action=org.freedesktop.packagekit.package-install-untrusted;
ResultAny=no
We would expect this to prevent users from installing local packages
downloaded from random repositories, however this does not seem to be
the case.
pkcon install-local random_package.deb will happily prompt for the user
to authenticate and will install the package, while pkcon --allow-
untrusted install-local random_package.deb will prompt for root
password, which the user does not have.
Our initial toughts was that the issue would be in packagekitd, but
after further investigations it looks like the issue could be in aptcc
backend.
We are more than happy to provide you with further details, but the
above should be enough to reproduce the issue.
** Affects: packagekit (Ubuntu)
Importance: Undecided
Status: New
** Tags: bionic focal packagekit
--
Packagekit lets user install untrusted local packages in Bionic and Focal
https://bugs.launchpad.net/bugs/1882098
You received this bug notification because you are a member of Ubuntu Bugs,
which is subscribed to the bug report.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
