1

I have a CentOS 8 system that I want the user to be able to install RPMs. I plan on doing something like the following in the sudoers file:

username ALL = NOPASSWD : /usr/bin/dnf

However, obviously this has security implications. I would like to configure dnf to only allow rpm installs that are signed with my key. Therefore the user can use dnf to install only the RPMs I provide.

Is this possible? If so, Is there a dnf flag that could ignore this setting (and therefore defeat this purpose). I'm looking in the dnf configuration but I can't tell if what I am reading will accomplish what I want.

My fallback to to create a standalone program to do this, and only allow sudo access to that program, but I would prefer to not add another application to the system.

Thank you for your help

AAG
  • 235
  • 1
  • 11

1 Answers1

1

You can remove all but your GPG keys from the system (rpm -qa |grep pubkey) and in dnf.conf set to true gpgcheck, localpkg_gpgcheck and set gpgkey to your key. This will work for most casual users.

As bonus I will provide the answer for your users on how to work around it:

  • pass --nogpgcheck to dnf
  • use --setopt to disable all the settings above
  • simple answer yes, when DNF prompts you to install a new GPG key
msuchy
  • 5,162
  • 1
  • 14
  • 26