rpms / fedora-release

Clone
Source Code
GIT

#321 rpm-ostree: require password for all system modifications
Closed 2 months ago by boredsquirrel. Opened 3 months ago by boredsquirrel.
Unknown source rawhide  into  rawhide

file modified
+1 -1 
@@ -21,7 +21,7 @@
 

  # https://fedoraproject.org/w/index.php?title=Starting_services_by_default&oldid=377748
 

  enable dbus.socket
 

  enable dbus-broker.service
 

- enable sshd.service
 

+ 

  

  # Locally-running services
 

  enable atd.*

file modified
-18 
@@ -3,22 +3,4 @@
 

          subject.active == true && subject.local == true) {
 

              return polkit.Result.YES;
 

      }
 

- 

-     if ((action.id == "org.projectatomic.rpmostree1.install-uninstall-packages" ||
 

-          action.id == "org.projectatomic.rpmostree1.install-local-packages" ||
 

-          action.id == "org.projectatomic.rpmostree1.override" ||
 

-          action.id == "org.projectatomic.rpmostree1.deploy" ||
 

-          action.id == "org.projectatomic.rpmostree1.upgrade" ||
 

-          action.id == "org.projectatomic.rpmostree1.rebase" ||
 

-          action.id == "org.projectatomic.rpmostree1.rollback" ||
 

-          action.id == "org.projectatomic.rpmostree1.bootconfig" ||
 

-          action.id == "org.projectatomic.rpmostree1.reload-daemon" ||
 

-          action.id == "org.projectatomic.rpmostree1.cancel" ||
 

-          action.id == "org.projectatomic.rpmostree1.cleanup" ||
 

-          action.id == "org.projectatomic.rpmostree1.client-management") &&
 

-         subject.active == true &&
 

-         subject.local == true &&
 

-         subject.isInGroup("wheel")) {
 

-             return polkit.Result.YES;
 

-     }
 

  });

Like on Workstation, a password should be required to prevent arbitrary manipulations of the OS without a password.

https://github.com/rohanssrao/silverblue-privesc

Issue: https://gitlab.com/fedora/ostree/sig/-/issues/7

Previous, closed PR: https://src.fedoraproject.org/rpms/fedora-release/pull-request/316

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci
https://fedora.softwarefactory-project.io/zuul/buildset/cbe80b8e18304f84a384e94e5e3328bb

This currently breaks updates without a password prompt (minor issue, will still work), I will add updates for all users in a second PR.

This is the most important change.

I don't think so. Enabling non-admin updates is the main priority as admin users already have lots of ways to compromise their systems.

We will need to land both and we need to test both to make sure we don't regress.

We may also want to make a Fedora Change for it.

Please always link to the relevant issue (https://gitlab.com/fedora/ostree/sig/-/issues/7) when making a PR (in the commit message as well) and include links to previous work and discussion for reference (https://src.fedoraproject.org/rpms/fedora-release/pull-request/316).

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci
https://fedora.softwarefactory-project.io/zuul/buildset/08fc6c3763d44ed5b2b4abac5ff592b9

related PR for allowing upgrades for all users:

https://src.fedoraproject.org/rpms/fedora-release/pull-request/322

1 new commit added

  • do not enable sshd by default
2 months ago

Sorry, messed that up again. Will close both PRs and create them in separate branches.

Pull-Request has been closed by boredsquirrel
2 months ago

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci
https://fedora.softwarefactory-project.io/zuul/buildset/df325ab1aba3434195773995b165eb5a
Metadata
None
No Tags
Changes Summary 2
+1 -1
file changed
90-default.preset
+0 -18
file changed
org.projectatomic.rpmostree1.rules
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.