Require admin authorisation to trigger a distro upgrade

https://bugzilla.redhat.com/show_bug.cgi?id=1335458
2016-05-28 11:15:41 +02:00 · 2016-05-28 11:15:41 +02:00 · 1bcb849a86
commit 1bcb849a86
parent 90da15530a
2 changed files with 61 additions and 1 deletions
--- a/0001-Require-admin-authorisation-to-trigger-a-distro-upgr.patch
+++ b/0001-Require-admin-authorisation-to-trigger-a-distro-upgr.patch
@ -0,0 +1,54 @@
+From f2368faaeeee7bbce951499a4428f9530fde5c09 Mon Sep 17 00:00:00 2001
+From: Richard Hughes <richard@hughsie.com>
+Date: Wed, 25 May 2016 10:41:48 +0100
+Subject: [PATCH] Require admin authorisation to trigger a distro upgrade
+
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1335458
+---
+ policy/org.freedesktop.packagekit.policy.in | 16 ++++++++++++++++
+ src/pk-engine.c                             |  2 +-
+ 2 files changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/policy/org.freedesktop.packagekit.policy.in b/policy/org.freedesktop.packagekit.policy.in
+index aac0fd1..221010d 100644
+--- a/policy/org.freedesktop.packagekit.policy.in
+++ b/policy/org.freedesktop.packagekit.policy.in
+@@ -286,6 +286,22 @@
+     </defaults>
+   </action>
+ 
+  <action id="org.freedesktop.packagekit.trigger-offline-upgrade">
+    <!-- SECURITY:
+          - Normal users require admin authentication to upgrade the system
+            to a new distribution since this can make the system unbootable or
+            stop other applications from working.
+     -->
+    <_description>Trigger offline updates</_description>
+    <_message>Authentication is required to trigger offline updates</_message>
+    <icon_name>package-x-generic</icon_name>
+    <defaults>
+      <allow_any>auth_admin</allow_any>
+      <allow_inactive>auth_admin</allow_inactive>
+      <allow_active>auth_admin</allow_active>
+    </defaults>
+  </action>
+
+   <action id="org.freedesktop.packagekit.clear-offline-update">
+     <!-- SECURITY:
+           - Normal users are able to clear the updates message that is
+diff --git a/src/pk-engine.c b/src/pk-engine.c
+index 6b145b6..603de08 100644
+--- a/src/pk-engine.c
+++ b/src/pk-engine.c
+@@ -1733,7 +1733,7 @@ pk_engine_offline_method_call (GDBusConnection *connection_, const gchar *sender
+ 		helper->invocation = g_object_ref (invocation);
+ 		helper->action = action;
+ 		polkit_authority_check_authorization (engine->priv->authority, subject,
+-						      "org.freedesktop.packagekit.trigger-offline-update",
+						      "org.freedesktop.packagekit.trigger-offline-upgrade",
+ 						      NULL,
+ 						      POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION,
+ 						      NULL,
+-- 
+2.7.4
+
--- a/PackageKit.spec
+++ b/PackageKit.spec
@ -7,13 +7,15 @@
 Summary:   Package management service
 Name:      PackageKit
 Version:   1.1.1
-Release:   1%{?dist}
+Release:   2%{?dist}
 License:   GPLv2+ and LGPLv2+
 URL:       http://www.freedesktop.org/software/PackageKit/
 Source0:   http://www.freedesktop.org/software/PackageKit/releases/%{name}-%{version}.tar.xz

 # Fedora-specific: set Vendor.conf up for Fedora.
 Patch0:    PackageKit-0.3.8-Fedora-Vendor.conf.patch
+# Backported from upstream
+Patch1:    0001-Require-admin-authorisation-to-trigger-a-distro-upgr.patch

 Requires: %{name}-glib%{?_isa} = %{version}-%{release}
 Requires: shared-mime-info
@ -147,6 +149,7 @@ using PackageKit.
 %prep
 %setup -q
 %patch0 -p1 -b .fedora
+%patch1 -p1

 %build
 %configure \
@ -276,6 +279,9 @@ systemctl disable packagekit-offline-update.service > /dev/null 2>&1 || :
 %{_datadir}/vala/vapi/packagekit-glib2.vapi

 %changelog
+* Sat May 28 2016 Kalev Lember <klember@redhat.com> - 1.1.1-2
+- Require admin authorisation to trigger a distro upgrade (#1335458)
+
 * Wed Apr 20 2016 Richard Hughes <rhughes@redhat.com> - 1.1.1-1
 - New upstream release
 - Add TriggerUpgrade DBus method handling