[Bug 1882098] Re: Packagekit lets user install untrusted local packages in Bionic and Focal
Sami Niemimäki
1882098 at bugs.launchpad.net
Sat Jun 13 07:03:13 UTC 2020
Hello Seth,
the packagekit-deny rule should not be necessary, it's there to
underline what is specifically not allowed.
AFAIK, there are no other rules which could have granted this
permission. This happens on a fresh install of Ubuntu where the above is
the only modification to polkit rules.
I'm on vacation since yesterday evening, so I cannot currently check if
the groups have some kind of unexpected effect.
See this for reference:
https://github.com/hughsie/PackageKit/blob/master/policy/org.freedesktop.packagekit.policy.in
The issue is that the command 'pkcon install-local evil-package-i-just-
created.deb' triggers the action 'org.freedesktop.packagekit.package-
install' instead of 'org.freedesktop.packagekit.package-install-
untrusted' which it should.
--
You received this bug notification because you are a member of
PackageKit-Team, which is subscribed to packagekit in Ubuntu.
https://bugs.launchpad.net/bugs/1882098
Title:
Packagekit lets user install untrusted local packages in Bionic and
Focal
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1882098/+subscriptions
More information about the Ubuntu-reviews
mailing list