Allow admin users to remove packages without password prompt #492
Conversation
A local, active admin user can install packages without a password prompt, but has to enter the admin password to remove packages. This doesn't make much sense. It should be parallel. Note that this change has no effect on what users are able to do, because it only applies to admin users. The password only protects against unlocked workstation attackers, where an attacker gains physical access to an unlocked desktop. It's pretty weird to prevent such an attacker from removing software, but allow installing new stuff. This makes users more vulnerable to secret agents who access your laptop when you leave it unlocked while ordering a coffee. This is just not a very practical concern for most users. I'd be more upset about somebody viewing my files if I leave my laptop unlocked, not so upset about somebody uninstalling Calendar or whatnot. https://pagure.io/fedora-workstation/issue/233
|
I thought you were going to do this downstream? |
|
I suggested doing it upstream, since I'm not convinced there's a good reason to maintain it as a downstream-only change. |
Does the upstream maintainer doesn't think it's a good idea count? |
You did not say that: #404 (comment) Quote:
If there's a "battle" to be fought for it, let's have the battle, then. @mcatanzaro and I can have this conversation with the relevant Red Hat security folks. Point them our way, let's figure this out. SUSE is not relevant (sorry!), they already don't ship our polkit policy and use their own one that makes PackageKit even more unusable by default. |
Keep reading all the other comments in that discussion. |
FWIW, yes I will help with any downstream issues, I don't expect any such battle except maybe occasional questions fromr users. (1) the change is already approved by the appropriate Fedora governance body (Workstation WG, since PackageKit is a desktop technology). (2) Product Security is full of smart people who understand threat modeling. The threat here is sufficiently farfetched that it would be weird for anybody to be too concerned. |
Can we stick to being nice to each other please. |
|
Apologies, that was rude of me. |
|
Closing this because @mcatanzaro is looking to do this downstream. |
This replaces #404.
A local, active admin user can install packages without a password
prompt, but has to enter the admin password to remove packages. This
doesn't make much sense. It should be parallel.
Note that this change has no effect on what users are able to do,
because it only applies to admin users. The password only protects
against unlocked workstation attackers, where an attacker gains physical
access to an unlocked desktop. It's pretty weird to prevent such an
attacker from removing software, but allow installing new stuff.
This makes users more vulnerable to secret agents who access your laptop
when you leave it unlocked while ordering a coffee. This is just not a
very practical concern for most users. I'd be more upset about somebody
viewing my files if I leave my laptop unlocked, not so upset about
somebody uninstalling Calendar or whatnot.
https://pagure.io/fedora-workstation/issue/233