[Mageia-discuss] A possible risk ?

Wed Feb 8 15:57:59 CET 2012

On Wed, 08 Feb 2012, Michael Scherer wrote:
+
+> Le mercredi 08 février 2012 à 08:47 -0300, Renaud (Ron) Olgiati a
+> écrit :
+> > On Wednesday 08 Feb 2012 08:37 my mailbox was graced by a message from Claire 
+> > Robinson who wrote:
+> > > > I ended up installing Mageia 1 on his box, but I wonder why does the
+> > > > distribution allow the user to potentially hose his system, when it
+> > > > requires the root password to install a prog ?
+> > > > Would it not make more sense to ask for the root password for the updates?
+> > 
+> > > It is configurable in MCC. You can find it under Security => Configure 
+> > > authentication for Mageia Tools.
+> > > Just select root for Update.
+> > 
+> > Brilliant, thanks.
+> > 
+> > But would it not make more sense to have the default changed to root ?
+> 
+> That totally miss the point, which is that a upgrade hosed the system.
+> Would requiring the root password have changed that ? I doubt. 
+> 
+> However, if the user cannot do upgrade without asking to someone else
+> ( because that's the whole point of having 2 different passwords, else,
+> that's just a nuisance that will confuse most people ), then he will
+> likely miss security and bugfixes updates, and that's problematic. 
+
+It's not clear if we are talking about installing updates only, or
+upgrading to a new version of the distribution. Installing updates is
+supposed to be safe and can be allowed by default with user password.
+But upgrading to a new distribution is more dangerous and should
+probably only be allowed with root password.
+
+