Shouldn't sudoers be required to enter a password or use sudo to install layered packages with "rpm-ostree install"?

I am loving my fedora silverblue but it bothers me that sudoers are not asked for a password when they install layered packages with rpm-ostree install . In mainstream fedora-workstation systems a sudoer unlike root always have to use sudo to install packages with dnf.

2 Likes

It is pretty easy to undo but if you left your system logged in and unattended, someone could get up to some mischief. But new installed packages would not take affect until they reboot and then they could not login.

1 Like

How can I undo it correctly (i.e I’m thinking about changing the permission of rpm-ostree binary or modifying the sudoers file). I want to add a line in my post.sh file in my ostree.

The permissions are set in /usr/share/polkit-1/rules.d/org.projectatomic.rpmostree1.rules. You can override them in /etc/polkit-1/rules.d/org.projectatomic.rpmostree1.rules

2 Likes

Thanks I found the permission files and I was able to override them.

It could allow for some malware install, the user logs in and goes on. I guess it should require sudo actually

Is there anywhere a discussion or statement/explanation around not needing sudo rights?

If soemone manages to install something while I do not look, it’s installed the next time I use my computer which is as bad as if it would’ve been indtalled right away.

I found something

Which links to add polkit 🔒 support · Issue #745 · coreos/rpm-ostree · GitHub