Add package-remove-password-prompt.patch for fedora-workstation#233

2021-07-15 15:17:02 -05:00 · 2021-07-15 15:17:02 -05:00 · c09742ba63
commit c09742ba63
parent f795abf2c8
2 changed files with 40 additions and 1 deletions
--- a/PackageKit.spec
+++ b/PackageKit.spec
@ -6,7 +6,7 @@
 Summary:   Package management service
 Name:      PackageKit
 Version:   1.2.3
-Release:   1%{?dist}
+Release:   2%{?dist}
 License:   GPLv2+ and LGPLv2+
 URL:       http://www.freedesktop.org/software/PackageKit/
 Source0:   http://www.freedesktop.org/software/PackageKit/releases/%{name}-%{version}.tar.xz
@ -17,6 +17,10 @@ Patch0:    PackageKit-0.3.8-Fedora-Vendor.conf.patch
 Patch0:    PackageKit-0.3.8-RHEL-Vendor.conf.patch
 %endif

+# https://pagure.io/fedora-workstation/issue/233
+# https://github.com/PackageKit/PackageKit/pull/404
+Patch1:    package-remove-password-prompt.patch
+
 BuildRequires: glib2-devel >= %{glib2_version}
 BuildRequires: xmlto
 BuildRequires: gtk-doc
@ -234,6 +238,9 @@ systemctl disable packagekit-offline-update.service > /dev/null 2>&1 || :
 %{_datadir}/vala/vapi/packagekit-glib2.deps

 %changelog
+* Thu Jul 15 2021 Michael Catanzaro <mcatanzaro@redhat.com> - 1.2.3-2
+- Add package-remove-password-prompt.patch for fedora-workstation#233
+
 * Mon Mar 22 2021 Richard Hughes <rhughes@redhat.com> - 1.2.3-1
 - New upstream release
 - Add support for coercing upgrade to distupgrade
--- a/package-remove-password-prompt.patch
+++ b/package-remove-password-prompt.patch
@ -0,0 +1,32 @@
+From 8914e11968a934faa651311fd98a98a3a19218ae Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@gnome.org>
+Date: Wed, 3 Jun 2020 10:45:12 -0500
+Subject: [PATCH] Allow admin users to remove packages without password prompt
+
+A local, active admin user can install packages without a password
+prompt, but has to enter the admin password to remove packages. This
+doesn't make much sense. It should be parallel.
+
+Note that this change has no effect on what users are able to do,
+because it only applies to admin users. The password only protects
+against unlocked workstation attackers, where an attacker gains physical
+access to an unlocked desktop. It's pretty weird to prevent such an
+attacker from removing software, but allow installing new stuff.
+
+https://pagure.io/fedora-workstation/issue/233
+---
+ policy/org.freedesktop.packagekit.rules | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/policy/org.freedesktop.packagekit.rules b/policy/org.freedesktop.packagekit.rules
+index 6a1c8a701..95d21925f 100644
+--- a/policy/org.freedesktop.packagekit.rules
+++ b/policy/org.freedesktop.packagekit.rules
+@@ -1,5 +1,6 @@
+ polkit.addRule(function(action, subject) {
+-    if (action.id == "org.freedesktop.packagekit.package-install" &&
+    if ((action.id == "org.freedesktop.packagekit.package-install" ||
+         action.id == "org.freedesktop.packagekit.package-remove") &&
+         subject.active == true && subject.local == true &&
+         subject.isInGroup("wheel")) {
+             return polkit.Result.YES;