From 8914e11968a934faa651311fd98a98a3a19218ae Mon Sep 17 00:00:00 2001 From: Michael Catanzaro Date: Wed, 3 Jun 2020 10:45:12 -0500 Subject: [PATCH] Allow admin users to remove packages without password prompt A local, active admin user can install packages without a password prompt, but has to enter the admin password to remove packages. This doesn't make much sense. It should be parallel. Note that this change has no effect on what users are able to do, because it only applies to admin users. The password only protects against unlocked workstation attackers, where an attacker gains physical access to an unlocked desktop. It's pretty weird to prevent such an attacker from removing software, but allow installing new stuff. https://pagure.io/fedora-workstation/issue/233 --- policy/org.freedesktop.packagekit.rules | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/policy/org.freedesktop.packagekit.rules b/policy/org.freedesktop.packagekit.rules index 6a1c8a701..95d21925f 100644 --- a/policy/org.freedesktop.packagekit.rules +++ b/policy/org.freedesktop.packagekit.rules @@ -1,5 +1,6 @@ polkit.addRule(function(action, subject) { - if (action.id == "org.freedesktop.packagekit.package-install" && + if ((action.id == "org.freedesktop.packagekit.package-install" || + action.id == "org.freedesktop.packagekit.package-remove") && subject.active == true && subject.local == true && subject.isInGroup("wheel")) { return polkit.Result.YES;