Description:
Using packagekit through discover and gnome-software, I have the ability to install software from the repositories and to upgrade the system without entering the admin password. This behaviour comes by default from upstream.

To be able to upgrade the system, you don't need anymore than a normal user. It is coded in the following file:

"/usr/share/polkit-1/actions/org.freedesktop.packagekit.policy"
<action id="org.freedesktop.packagekit.system-update">
<!-- SECURITY:
- Normal users do not require admin authentication to update the
system as the packages will be signed, and the action is required
to update the system when unattended.
- Changing this to anything other than 'yes' will break unattended
updates.
-->

To be able to install software from the repositories without the admin password, the user must be in the "wheel" group. It is coded in the following file:
"/usr/share/polkit-1/rules.d/org.freedesktop.packagekit.rules"
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.packagekit.package-install" &&
subject.active == true && subject.local == true &&
subject.isInGroup("wheel")) {
return polkit.Result.YES;
}
});

Although upstream think that these two options are not security issues, I think that upstream thinks more in terms of ease of use than in terms of security, but that is only my opinion and I am not cualified enough to emit a veredict. I report this because I think that these two options should ask for the admin password by default, giving the option for not asking it only as optional for users/distros that prefer less secure but easier methods.

Sincerely,
Aqa-Ib.

Additional info:
* package version(s): 1.1.3-1

Steps to reproduce:
For upgrading without password:
1. Install discover or gnome-software
2. Upgrade the system using discover or gnome software.

For installing software from the repositories without password:
A. Put your normal user in the wheel group.
B. Install any software from the repositories using discover or gnome software.