Source: gnome-software Version: 48.3-2 Severity: important Tags: trixie forky sid X-Debbugs-CC: [email protected], [email protected] Control: affects -1 src:packagekit
Test Case Prerequisites ============= Install Debian 13 GNOME The install also needs to have a non-administrator user who is not a member of the sudo group. This is created for you if you chose to install using a root password and did not otherwise configure the user account. Otherwise, you can create this account with the GNOME Settings app. In the right sidebar, click System, then Users. Unlock. Add User. Keep the Administrator option off. This install needs to not have the latest updates applied. Test Case 1 ========= Log into the non-admin user account. Open a terminal and run these 2 commands: pkcon refresh pkcon update pkcon refresh works, but pkcon update won't be able to apply unless you authenticate with an admin account. Test Case 2 ========= Log into the non-admin user account Open the GNOME Software app Switch to the Update tab. Click Download. Once that completes, click Restart & Update… What Happens =========== After restarting after Test Case 2, packagekit installs the updates in offline mode, then restarts to return you to the login screen. This includes installing packages if needed and apparently removing packages if needed too. /var/log/apt/history.log shows something like this (Debian Testing installing last night's updates): Start-Date: 2025-11-10 12:07:08 Commandline: packagekit role='update-packages' Install: libdisplay-info3:amd64 (0.3.0-1, automatic) Upgrade: libmm-glib0:amd64 (1.24.2-1, 1.24.2-2), mutter-common-bin:amd64 (49.1.1-2, 49.1.1-2+b1), wpasupplicant:amd64 (2:2.10-24+b1, 2:2.10-25), modemmanager:amd64 (1.24.2-1, 1.24.2-2), libldb2:amd64 (2:2.11.0+samba4.23.2+dfsg-1, 2:2.11.0+samba4.23.3+dfsg-1), libgtksourceview-5-common:amd64 (5.18.0-1, 5.18.0-2), libmutter-17-0:amd64 (49.1.1-2, 49.1.1-2+b1), libwbclient0:amd64 (2:4.23.2+dfsg-1, 2:4.23.3+dfsg-1), dracut-install:amd64 (108-8, 109-1), power-profiles-daemon:amd64 (0.30-1.1, 0.30-2), libsmbclient0:amd64 (2:4.23.2+dfsg-1, 2:4.23.3+dfsg-1), gir1.2-mutter-17:amd64 (49.1.1-2, 49.1.1-2+b1), libtdb1:amd64 (2:1.4.14+samba4.23.2+dfsg-1, 2:1.4.14+samba4.23.3+dfsg-1), libcrypt1:amd64 (1:4.4.38-1, 1:4.5.1-1), libgtksourceview-5-0:amd64 (5.18.0-1, 5.18.0-2), libtevent0t64:amd64 (2:0.17.1+samba4.23.2+dfsg-1, 2:0.17.1+samba4.23.3+dfsg-1), samba-libs:amd64 (2:4.23.2+dfsg-1, 2:4.23.3+dfsg-1), libtalloc2:amd64 (2:2.4.3+samba4.23.2+dfsg-1, 2:2.4.3+samba4.23.3+dfsg-1) End-Date: 2025-11-10 12:07:15 Other Info ======= It feels like gnome-software is circumventing the intent of Debian's packagekit packaging which patches /usr/share/polkit-1/actions/org.freedesktop.packagekit.policy so that org.freedesktop.packagekit.system-update is set to auth_admin_keep instead of yes so that admin privileges are required for this action. I haven't dug into the gnome-software source to figure out what it's doing differently. My initial thinking is that this is not a security issue because as the PolicyKit file point out, these should be signed package updates. Other actions like enabling or disabling package repositories do like admin authentication. This issue was originally reported as https://bugs.debian.org/1117973 but I split it into a separate issue for clarity. Thanks, Jeremy Bícha
