KDE's Discover app allows to install software without root priveilegues

Support Software & Applications
, ,
1

I have my user who can run sudo, which requires to type in password.

When I run pamac or yay – it asks for password. But I actually never use pamac, only yay and pacman.

Flatpak allows to install sofrware without root access, and that’s by design I guess.

I have installed Discover, to be able to search Flatpak apps.
But it also is able to search for Manjaro repositories.
I have reacently searched it for KMail, and it isn’t available as Flatpak, only form Manjaro repo.
But when I click to install it – it didn’t ask for password – it installed it right away.

It also installs superfast, I belive bypassing Timeshift snapshots and Grub hooks.

BUT when you remove app via Discover it asks for password!

That’s inconsistent and unsafe.
Looks like way for privilege escalation. Is it suid? (I guess it is calling something via DBus which has root privileges.

Moderator edit: Removed useless screenshot

2

Don’t use it for that.

Warning: PackageKit opens up system permissions by default, and is otherwise not recommended for general usage. See FS#50459 and FS#57943.

pacman/Tips and tricks - ArchWiki

Note: I moved your topic from Feature Request to Software & Applications as you’re asking for support, not requesting a feature.

3

That it is. Dont use packagekit for package management.
For this reason and more.

1 Like
4

Actually I am asking this default behavior to be changed, as it presents security risk.

5

But won’t I break my system if I uninstall packagekit? is it even possible?

6

Manjaro cannot change how packagekit works. Its up to you or your system administrator to decide whether it is included with the system.

What? Its an entirely optional package.
No, you do not need it.
No, important things will not break without it.

discover deepin-store and apper all use it for package management … but none of those things are considered safe. (read as - do not use any of those things, or packagekit in any way for package management. Just dont.)

Actually, in the case of discover … it is an optional dep - discover can be installed and used for its other functions including fwupd and addons from store.kde.org.

7

You’re barking up the wrong tree. That would be an issue you would need to take up with upstream. I’m sure it’s already been addressed. There’s nothing Arch or Manjaro can do about it. Why do you think Arch has that disclaimer in the wiki?

8

Yeah, looks like it.

Arch/Manjaro don’t patch upstream packages?

What I have noticed in /usr/share/polkit-1/actions/org.freedesktop.packagekit.policy that this behavior should be only for system-update action. Looks like a bug in polkit.

Sadly I have no idea how all this DBus stuff works.

Thanks everybody for answers. I have removed packagekit and discover!

9

Not normally, no. Arch follows upstream and most packages are “vanilla”. Any patches that are used normally are directly from upstream to address security issues ahead of a pending upstream release.

:+1:

10

Only use Discover to update themes, icons, etc… good rule of thumb is to install Topgrade, use it for your updates and after updating launch Discover and see if there are any theme components that need updating.

11

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.