Bug#1120489: gnome-software: allows non-admins to install updates

Mon Nov 10 22:53:30 GMT 2025

Source: gnome-software
Version: 48.3-2
Severity: important
Tags: trixie forky sid
X-Debbugs-CC: raphael.halimi at gmail.com, packagekit at packages.debian.org
Control: affects -1 src:packagekit

Test Case Prerequisites
=============
Install Debian 13 GNOME

The install also needs to have a non-administrator user who is not a
member of the sudo group. This is created for you if you chose to
install using a root password and did not otherwise configure the user
account. Otherwise, you can create this account with the GNOME
Settings app. In the right sidebar, click System, then Users. Unlock.
Add User. Keep the Administrator option off.

This install needs to not have the latest updates applied.

Test Case 1
=========
Log into the non-admin user account.
Open a terminal and run these 2 commands:
pkcon refresh
pkcon update

pkcon refresh works, but pkcon update won't be able to apply unless
you authenticate with an admin account.

Test Case 2
=========
Log into the non-admin user account
Open the GNOME Software app
Switch to the Update tab. Click Download. Once that completes, click
Restart & Update…

What Happens
===========
After restarting after Test Case 2, packagekit installs the updates in
offline mode, then restarts to return you to the login screen. This
includes installing packages if needed and apparently removing
packages if needed too.

/var/log/apt/history.log shows something like this (Debian Testing
installing last night's updates):

Start-Date: 2025-11-10  12:07:08
Commandline: packagekit role='update-packages'
Install: libdisplay-info3:amd64 (0.3.0-1, automatic)
Upgrade: libmm-glib0:amd64 (1.24.2-1, 1.24.2-2),
mutter-common-bin:amd64 (49.1.1-2, 49.1.1-2+b1), wpasupplicant:amd64
(2:2.10-24+b1, 2:2.10-25), modemmanager:amd64 (1.24.2-1, 1.24.2-2),
libldb2:amd64 (2:2.11.0+samba4.23.2+dfsg-1,
2:2.11.0+samba4.23.3+dfsg-1), libgtksourceview-5-common:amd64
(5.18.0-1, 5.18.0-2), libmutter-17-0:amd64 (49.1.1-2, 49.1.1-2+b1),
libwbclient0:amd64 (2:4.23.2+dfsg-1, 2:4.23.3+dfsg-1),
dracut-install:amd64 (108-8, 109-1), power-profiles-daemon:amd64
(0.30-1.1, 0.30-2), libsmbclient0:amd64 (2:4.23.2+dfsg-1,
2:4.23.3+dfsg-1), gir1.2-mutter-17:amd64 (49.1.1-2, 49.1.1-2+b1),
libtdb1:amd64 (2:1.4.14+samba4.23.2+dfsg-1,
2:1.4.14+samba4.23.3+dfsg-1), libcrypt1:amd64 (1:4.4.38-1, 1:4.5.1-1),
libgtksourceview-5-0:amd64 (5.18.0-1, 5.18.0-2), libtevent0t64:amd64
(2:0.17.1+samba4.23.2+dfsg-1, 2:0.17.1+samba4.23.3+dfsg-1),
samba-libs:amd64 (2:4.23.2+dfsg-1, 2:4.23.3+dfsg-1), libtalloc2:amd64
(2:2.4.3+samba4.23.2+dfsg-1, 2:2.4.3+samba4.23.3+dfsg-1)
End-Date: 2025-11-10  12:07:15

Other Info
=======
It feels like gnome-software is circumventing the intent of Debian's
packagekit packaging which patches
/usr/share/polkit-1/actions/org.freedesktop.packagekit.policy
so that org.freedesktop.packagekit.system-update
is set to auth_admin_keep instead of yes
so that admin privileges are required for this action.

I haven't dug into the gnome-software source to figure out what it's
doing differently.

My initial thinking is that this is not a security issue because as
the PolicyKit file point out, these should be signed package updates.
Other actions like enabling or disabling package repositories do like
admin authentication.

This issue was originally reported as https://bugs.debian.org/1117973
but I split it into a separate issue for clarity.

Thanks,
Jeremy Bícha