Not sure whether removing files that came with distro packages is the
best idea long term. I think a better option would be to drop in a
custom rule that runs before the default ones. As usual ArchWiki has
some examples:
https://wiki.archlinux.org/index.php/Polkit#Administrator_identities

Specifically, if I'm reading this right, putting the following rule in
/etc/polkit-1/rules.d/00-override.rules should be enough:

/* Always authenticate Admins by prompting for the root
 * password, similar to the rootpw option in sudo
 */
polkit.addAdminRule(function(action, subject) {
    return ["unix-user:root"];
});

Having this it's easy to build a package that can be later distributed
to other workstations.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to policykit-1 in Ubuntu.
https://bugs.launchpad.net/bugs/1850977

Title:
  Snap installs software without user having sudo access

Status in gnome-software package in Ubuntu:
  Invalid
Status in policykit-1 package in Ubuntu:
  New
Status in snapd package in Ubuntu:
  Invalid

Bug description:
  $ lsb_release -rd
  Description:  Ubuntu 18.04.2 LTS
  Release:      18.04

  $ apt-cache policy gnome-software
  gnome-software:
    Installed: 3.28.1-0ubuntu4.18.04.8
    Candidate: 3.28.1-0ubuntu4.18.04.12
    Version table:
       3.28.1-0ubuntu4.18.04.12 500
          500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 
Packages
   *** 3.28.1-0ubuntu4.18.04.8 100
          100 /var/lib/dpkg/status
       3.28.1-0ubuntu4 500
          500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64

  What I expect to happen:
    Software is not installed for a user without sudo access.

  What does happen:
  I'm logging in with an LDAP user. This user does not have sudo access.

  When I select software from gnome-software ("Ubuntu Software"), it
  pops up and asks for my users password. I enter this in, and the
  software then installs (tested with blender, libreoffice, opencl
  driver).

  My user does *not* have sudo access on the system.

  $ sudo su -
  [sudo] password for jason: 
  jason is not in the sudoers file.  This incident will be reported.

  It appears these *may* be being installed with Snaps ... which still:

  How, without having root access, can an unprivileged user install
  something onto the system?

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: gnome-software 3.28.1-0ubuntu4.18.04.8
  ProcVersionSignature: Ubuntu 5.0.0-32.34~18.04.2-generic 5.0.21
  Uname: Linux 5.0.0-32-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7.5
  Architecture: amd64
  CurrentDesktop: ubuntu:GNOME
  Date: Fri Nov  1 13:53:03 2019
  InstallationDate: Installed on 2019-11-01 (0 days ago)
  InstallationMedia: Ubuntu 18.04.2 LTS "Bionic Beaver" - Release amd64 
(20190210)
  InstalledPlugins:
   gnome-software-plugin-flatpak N/A
   gnome-software-plugin-limba   N/A
   gnome-software-plugin-snap    3.28.1-0ubuntu4.18.04.8
  ProcEnviron:
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: gnome-software
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnome-software/+bug/1850977/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to     : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to