Fedora 12 Lets Users Install Signed Packages, Sans Root Privileges

eqisow writes "The new default policy for Fedora 12 allows local, unprivileged users to install signed packages without root access. This change apparently went mostly unnoticed until after the Fedora 12 GA release, at which point it sparked a mailing list thread that is, as of this writing, over 100 posts long."

User-level package manager

[EvanED]

What I want is a package manager that will do installation to my own home directory -- basically the same as downloading the source and running './configure --prefix=$HOME/whatever && make install' but without the complete bitchness of dependency hell -- without any root privileges at all. Anyone know of one?

Potential worm exploit

[crow]

Suppose someone wrote a worm that could get access to the system as a user. Then all they need is to find a signed package with a privilege-escalation bug, and whether it's installed or not, the malware could exploit it, gaining root access.

But apart from that, I can see where this would be nice from a single-user system standpoint.

Re:Developers vs. Sysadmins

[HangingChad]

After working as a sysadmin for 10+ years for several groups of Linux software devs, I realized that devs don't make good sysadmins, and vice-versa (in general).

We did okay in our office. We let the dev's admin their own machines and an actual sysadmin, like yourself, run the production environment. For the desktops users put in an install request and we installed the software for them. It wasn't that hard, we didn't get a lot of requests.

I don't see the conflict myself. Just by running CentOS dev machines and Ubuntu for commodity desktops, we were light years ahead on security without even doing a lot. As long as no one is staying logged in as root, there are much easier targets. It's kind of like the bear joke. We don't have to have bear proof security, just better security than the company next door.

Re:sounds good to me

[Lord+Bitman]

this basically means "I allow you to install any package which I have signed. You don't need to log in as a more-powerful user to do so, because I have already pre-approved this action, just as if I added the specific command to the sudoers file with no password"
The default signature is that of redhat, but there's no reason to expect the same technique couldn't be used for other signatures. Sounds like a good idea, especially for a corporate environment (single deployment, but if some people need to install Eclipse, they don't need to contact support to do so)

The next step along the line is to tie this into the existing "that command doesn't exist, install Foo to use it", to turn that into "Foo isn't installed, do you want to install it?" and a (sorry) windows-style "how recently was this used?"/auto-remove-during-updates and make the whole operating system feel entirely seamless in terms of application usage.

This is a good thing.

Re:This makes sense

[Nick+Ives]

Sudo doesn't take your root password, it takes your password. Also, I'm not aware that anybody with a clue has complained about UAC whilst cheering about sudo. UAC is actually a step up from sudo because it uses a secure input driver to stop a programme clicking OK automatically whereas with sudo there's no equivalent protection from keyloggers.

The only real advantage of sudo over UAC is that you can user sudoers to limit which executables normal users can run whereas with UAC you either have admin rights for everything or nothing, although I suspect you can mess around with user rights in Windows to give much finer grained capability permission.

The only issue with UAC is how annoying the prompts can be and that's because of badly written software that assumes it has to have full admin rights. UAC prompts happen less these days though.

So yea, at least check the facts before posting. Must troll harder!