[Bug 1882098] Re: Packagekit lets user install untrusted local packages in Bionic and Focal

Sami Niemimäki 1882098 at bugs.launchpad.net
Sat Jun 13 07:03:13 UTC 2020


Hello Seth,

the packagekit-deny rule should not be necessary, it's there to
underline what is specifically not allowed.

AFAIK, there are no other rules which could have granted this
permission. This happens on a fresh install of Ubuntu where the above is
the only modification to polkit rules.

I'm on vacation since yesterday evening, so I cannot currently check if
the groups have some kind of unexpected effect.

See this for reference:
https://github.com/hughsie/PackageKit/blob/master/policy/org.freedesktop.packagekit.policy.in

The issue is that the command 'pkcon install-local evil-package-i-just-
created.deb' triggers the action 'org.freedesktop.packagekit.package-
install' instead of 'org.freedesktop.packagekit.package-install-
untrusted' which it should.

-- 
You received this bug notification because you are a member of
PackageKit-Team, which is subscribed to packagekit in Ubuntu.
https://bugs.launchpad.net/bugs/1882098

Title:
  Packagekit lets user install untrusted local packages in Bionic and
  Focal

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1882098/+subscriptions



More information about the Ubuntu-reviews mailing list