[Mageia-discuss] A possible risk ?

Claire Robinson eeeemail at gmail.com
Wed Feb 8 16:11:51 CET 2012


On 08/02/12 14:57, nicolas vigier wrote:
> On Wed, 08 Feb 2012, Michael Scherer wrote:
>
>> Le mercredi 08 février 2012 à 08:47 -0300, Renaud (Ron) Olgiati a
>> écrit :
>>> On Wednesday 08 Feb 2012 08:37 my mailbox was graced by a message from Claire
>>> Robinson who wrote:
>>>>> I ended up installing Mageia 1 on his box, but I wonder why does the
>>>>> distribution allow the user to potentially hose his system, when it
>>>>> requires the root password to install a prog ?
>>>>> Would it not make more sense to ask for the root password for the updates?
>>>
>>>> It is configurable in MCC. You can find it under Security =>  Configure
>>>> authentication for Mageia Tools.
>>>> Just select root for Update.
>>>
>>> Brilliant, thanks.
>>>
>>> But would it not make more sense to have the default changed to root ?
>>
>> That totally miss the point, which is that a upgrade hosed the system.
>> Would requiring the root password have changed that ? I doubt.
>>
>> However, if the user cannot do upgrade without asking to someone else
>> ( because that's the whole point of having 2 different passwords, else,
>> that's just a nuisance that will confuse most people ), then he will
>> likely miss security and bugfixes updates, and that's problematic.
>
> It's not clear if we are talking about installing updates only, or
> upgrading to a new version of the distribution. Installing updates is
> supposed to be safe and can be allowed by default with user password.
> But upgrading to a new distribution is more dangerous and should
> probably only be allowed with root password.
>

It should probably be some comfort that we do actually have a root account.
If this were Ubuntu then it would require a bit more effort to lock down 
than a choice in MCC :)


More information about the Mageia-discuss mailing list