1 files changed, 32 insertions, 0 deletions

diff --git a/package-remove-password-prompt.patch b/package-remove-password-prompt.patch
new file mode 100644
index 0000000..3cda368
--- /dev/null
+++ b/package-remove-password-prompt.patch
@@ -0,0 +1,32 @@
+From 8914e11968a934faa651311fd98a98a3a19218ae Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@gnome.org>
+Date: Wed, 3 Jun 2020 10:45:12 -0500
+Subject: [PATCH] Allow admin users to remove packages without password prompt
+
+A local, active admin user can install packages without a password
+prompt, but has to enter the admin password to remove packages. This
+doesn't make much sense. It should be parallel.
+
+Note that this change has no effect on what users are able to do,
+because it only applies to admin users. The password only protects
+against unlocked workstation attackers, where an attacker gains physical
+access to an unlocked desktop. It's pretty weird to prevent such an
+attacker from removing software, but allow installing new stuff.
+
+https://pagure.io/fedora-workstation/issue/233
+---
+ policy/org.freedesktop.packagekit.rules | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/policy/org.freedesktop.packagekit.rules b/policy/org.freedesktop.packagekit.rules
+index 6a1c8a701..95d21925f 100644
+--- a/policy/org.freedesktop.packagekit.rules
++++ b/policy/org.freedesktop.packagekit.rules
+@@ -1,5 +1,6 @@
+ polkit.addRule(function(action, subject) {
+-    if (action.id == "org.freedesktop.packagekit.package-install" &&
++    if ((action.id == "org.freedesktop.packagekit.package-install" ||
++         action.id == "org.freedesktop.packagekit.package-remove") &&
+         subject.active == true && subject.local == true &&
+         subject.isInGroup("wheel")) {
+             return polkit.Result.YES;