Hardened rpm-ostree polkit rule. Is anything missing?

https://src.fedoraproject.org/fork/boredsquirrel/rpms/fedora-release/c/7694cc83a711dffe861d11fc41e0b800a71226d0?branch=f39

The current polkit rule is very broken

So this obviously has to change.

Could you look at the new file and tell if anything is missing? I am unsure if even less is really needed.

Idea:

  • unprivileged users can use automatic updates and don’t even need to see them. This has to work everywhere also when remote logged in, or on a running system with no logged in user.
  • if you change the system, you need a password.
  • without a password nobody should be able to rebase, deploy, stop updates (fixing possible security vulnerabilities) etc.

This may break software stores without polkit password prompt. But I am honestly very much against encouraging layering RPMs in GUI software stores, as this is not even officially supported.

Do you find any loopholes that should also be behind a password? Or things that should be allowed?

2 Likes