[Mageia-discuss] A possible risk ?
Wolfgang Bornath
molch.b at googlemail.com
Wed Feb 8 16:13:57 CET 2012
2012/2/8 Michael Scherer <misc at zarb.org>:
> Le mercredi 08 février 2012 à 14:02 +0100, Wolfgang Bornath a écrit :
>> 2012/2/8 Michael Scherer <misc at zarb.org>:
>> > Le mercredi 08 février 2012 à 08:47 -0300, Renaud (Ron) Olgiati a
>> > écrit :
>> >> On Wednesday 08 Feb 2012 08:37 my mailbox was graced by a message from Claire
>> >> Robinson who wrote:
>> >> > > I ended up installing Mageia 1 on his box, but I wonder why does the
>> >> > > distribution allow the user to potentially hose his system, when it
>> >> > > requires the root password to install a prog ?
>> >> > > Would it not make more sense to ask for the root password for the updates?
>> >>
>> >> > It is configurable in MCC. You can find it under Security => Configure
>> >> > authentication for Mageia Tools.
>> >> > Just select root for Update.
>> >>
>> >> Brilliant, thanks.
>> >>
>> >> But would it not make more sense to have the default changed to root ?
>> >
>> > That totally miss the point, which is that a upgrade hosed the system.
>> > Would requiring the root password have changed that ? I doubt.
>>
>> No. What you are pointing at (the breakage of the system) is a matter
>> to be looked at.
>
> In fact, the breakage is not our call, since this is on Mandriva.
May be, may be not - depends on the reasons why this upgrade went bad.
Pls remove the blinds.
>> But the point you are missing is the security breakage. If a user
>> does not have the root password then there is a reason for that and he
>> is probably working in an environment where only dedicated people have
>> the permission to do system management and it is their task to do
>> updates.
>
> Then in such environment, the sysadmin will set it so only him can do
> update. If there is a admin, we should assume that he know what to do,
> and restrict it accordingly, using the tools as explained by Claire.
No, it has been different for years and everybody was happy with the
setup except those who are too lazy using passwords at all.
>> A private user who is on his own usually has the root
>> password. So your point of missing security updates because of 2
>> passwords is not valid.
>
> What part of "having to keep 2 password is more complex than having one"
> is wrong ? I have seen lots of people even asking to remove all
> passwords since they do not care, so having 2 just worst.
Yes, I have seen postings like "why do I have to use passwords" and
"why can I not log in KDE as root" more than once. Are these people
our target group? If so than - have fun! What strikes me is that you
of all people are advocating a loosening of security with no real
reason.
--
wobo
More information about the Mageia-discuss
mailing list