PR#316: rpm-ostree: allow upgrades for all, require password for changes - rpms/fedora-release

rpms / fedora-release

#316 rpm-ostree: allow upgrades for all, require password for changes

Closed 2 months ago by boredsquirrel. Opened 3 months ago by boredsquirrel.

Unknown source rawhide into rawhide

rpm-ostree: allow any user to refresh and upgrade

Bernhard Bloxberg • 2 months ago

4604ae3

allow upgrades for all, require password for changes

Bernhard Bloxberg • 3 months ago

23473ae

org.projectatomic.rpmostree1.rules

file modified

+4 -5

		`@@ -1,14 +1,13 @@`
		`polkit.addRule(function(action, subject) {`
		`- if (action.id == "org.projectatomic.rpmostree1.repo-refresh" &&`
		`- subject.active == true && subject.local == true) {`
		`+ if (action.id == "org.projectatomic.rpmostree1.repo-refresh" \|\|`
		`+ action.id == "org.projectatomic.rpmostree1.upgrade") {`
		`return polkit.Result.YES;`
		`}`
		`-`
		`+`
		`if ((action.id == "org.projectatomic.rpmostree1.install-uninstall-packages" \|\|`
		`action.id == "org.projectatomic.rpmostree1.install-local-packages" \|\|`
		`action.id == "org.projectatomic.rpmostree1.override" \|\|`
		`action.id == "org.projectatomic.rpmostree1.deploy" \|\|`
		`- action.id == "org.projectatomic.rpmostree1.upgrade" \|\|`
		`action.id == "org.projectatomic.rpmostree1.rebase" \|\|`
		`action.id == "org.projectatomic.rpmostree1.rollback" \|\|`
		`action.id == "org.projectatomic.rpmostree1.bootconfig" \|\|`
		`@@ -21,4 +20,4 @@`
		`subject.isInGroup("wheel")) {`
		`return polkit.Result.YES;`
		`}`
		`- });`
		`+ });`
		`\ No newline at end of file`

boredsquirrel commented 3 months ago

There is no need for wheel users to change their system without a password confirmation.

On the other hand, nonwheel users cannot perform any upgrades currently, which is a bad state.

Regular Fedora requires a password for performing such elevated actions, there is no reason to allow this. I use my system with this rule and it works fine.

sgallagh commented 3 months ago

For a change to permissions like this, I'd really like to see this associated with a formal decision from the involved SIGs somewhere. Do you have a link to such a decision?

zuul commented 3 months ago

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci
https://fedora.softwarefactory-project.io/zuul/buildset/3733dae2e37640ce807928e1368ded8b

check-for-arches : SUCCESS in 1m 52s
check-for-eln : SUCCESS in 18s
eln-rpm-scratch-build : SUCCESS in 11m 26s
rpm-scratch-build : SUCCESS in 10m 04s
rpm-scratch-build-s390x : SUCCESS in 11m 37s (non-voting)
rpm-scratch-build-ppc64le : SUCCESS in 14m 24s (non-voting)
rpm-scratch-build-i686 : SUCCESS in 8m 37s (non-voting)
rpm-scratch-build-aarch64 : SUCCESS in 10m 45s (non-voting)
rpm-linter : FAILURE in 20m 38s (non-voting)
rpm-rpminspect : TIMED_OUT in 30m 51s (non-voting)
check-for-sti-tests : SUCCESS in 15s
check-for-fmf-tests : SUCCESS in 15s
rpm-install-test : FAILURE in 1m 14s
Skipped 2 jobs

sgallagh commented 3 months ago

I asked around, and this appears related to https://gitlab.com/fedora/ostree/sig/-/issues/7 which is still under discussion upstream.

I'm going to close this merge request; please resubmit once the upstream discussion is complete.

Pull-Request has been closed by sgallagh

3 months ago

boredsquirrel commented 3 months ago

hey, yes that discussion was "dead" for a long time. Mentioned this PR there. @siosm

Edited 3 months ago by boredsquirrel

Pull-Request has been reopened by boredsquirrel

3 months ago

zuul commented 3 months ago

check-for-arches : SUCCESS in 1m 36s
check-for-eln : SUCCESS in 18s
eln-rpm-scratch-build : SUCCESS in 10m 55s
rpm-scratch-build : SUCCESS in 12m 35s
rpm-scratch-build-s390x : SUCCESS in 10m 06s (non-voting)
rpm-scratch-build-ppc64le : SUCCESS in 11m 04s (non-voting)
rpm-scratch-build-i686 : SUCCESS in 10m 06s (non-voting)
rpm-scratch-build-aarch64 : SUCCESS in 10m 25s (non-voting)
rpm-linter : FAILURE in 13m 40s (non-voting)
rpm-rpminspect : FAILURE in 14m 03s (non-voting)
check-for-sti-tests : SUCCESS in 15s
check-for-fmf-tests : SUCCESS in 15s
rpm-install-test : FAILURE in 1m 13s
Skipped 2 jobs

siosm commented 3 months ago

Let's split this into two PRs. First one to add the upgrade permission and a second one to remove some permissions from the wheel section.

We will have to evaluate the security of each one independently to make sure we're not opening something we don't want.

1 new commit added

rpm-ostree: allow any user to refresh and upgrade

2 months ago

boredsquirrel commented 2 months ago

okay if you think so 🤷🏾

so this is the one to fix updates for nonwheel users, as well as to allow upgrades for all users, remote, not logged in (as far as I understood that part) etc.

Updating and refreshing should not create any attack surface.

Edited 2 months ago by boredsquirrel

zuul commented 2 months ago

check-for-arches : SUCCESS in 1m 48s
check-for-eln : SUCCESS in 17s
eln-rpm-scratch-build : SUCCESS in 10m 55s
rpm-scratch-build : SUCCESS in 12m 01s
rpm-scratch-build-s390x : SUCCESS in 10m 20s (non-voting)
rpm-scratch-build-ppc64le : SUCCESS in 12m 09s (non-voting)
rpm-scratch-build-i686 : SUCCESS in 8m 58s (non-voting)
rpm-scratch-build-aarch64 : SUCCESS in 10m 37s (non-voting)
rpm-linter : FAILURE in 15m 04s (non-voting)
rpm-rpminspect : FAILURE in 13m 54s (non-voting)
check-for-sti-tests : SUCCESS in 16s
check-for-fmf-tests : SUCCESS in 16s
rpm-install-test : FAILURE in 1m 16s
Skipped 2 jobs

siosm commented 2 months ago

Please squash commits and include only the relevant changes, nothing else.

Note that you are also changing the logic around subject.active == true && subject.local == true, which is probably not what we want, at least initially, so let's keep this.

boredsquirrel commented 2 months ago

I am currently having trouble with connecting git to pagure (username password auth not working) so as I think this is quite important I will close this PR and open a new one.

Pull-Request has been closed by boredsquirrel

2 months ago

boredsquirrel commented 2 months ago

I opened a new PR that first addresses the security critical part of this PR.

For the second one, why should updates be bound to local and active users? Will this break background updates, or updates on systems where users ssh/VNC only?