[Mageia-discuss] A possible risk ?

andre999 andre999mga at laposte.net
Wed Feb 8 23:11:58 CET 2012


Wolfgang Bornath a écrit :
> 2012/2/8 Sander Lepik<sander.lepik at eesti.ee>:
>    
>> 08.02.2012 13:47, Renaud (Ron) Olgiati kirjutas:
>>
>>      
>>> Brilliant, thanks.
>>>
>>> But would it not make more sense to have the default changed to root ?
>>>        
>> Updates shouldn't break system and so i think they should be enabled for
>> normal users. Upgrades is something else and should be disabled for normal
>> users. You can report bug about this problem.
>>      
> Last November I setup my normal Mageia system to auto-boot into xguest
> so visitors at the Mageia stand at an exhibition can try out Mageia. I
> was surpised and shocked when I watched the update icon light up and
> the visitor could perform this update as xguest! This IS a risk no
> matter whether an update breaks a system or not. After I saw this the
> first thing I did was su into root and change the permission setting
> for updates.
>
> This is one thing where security was broken for ease of use.
>
>    
I would say that a good way to solve that is to not permit updates from 
an account that doesn't require a password, such as is the case (usually 
if not always) with xguest.

So defaults being
1) release upgrades requiring root password.
2) package updates requiring user password.
3) if current account requires not password, no update.

Wouldn't that satisfy security concerns ?

-- 
André



More information about the Mageia-discuss mailing list