[Mageia-discuss] A possible risk ?

Wed Feb 8 16:11:51 CET 2012

On 08/02/12 14:57, nicolas vigier wrote:
+> On Wed, 08 Feb 2012, Michael Scherer wrote:
+>
+>> Le mercredi 08 février 2012 à 08:47 -0300, Renaud (Ron) Olgiati a
+>> écrit :
+>>> On Wednesday 08 Feb 2012 08:37 my mailbox was graced by a message from Claire
+>>> Robinson who wrote:
+>>>>> I ended up installing Mageia 1 on his box, but I wonder why does the
+>>>>> distribution allow the user to potentially hose his system, when it
+>>>>> requires the root password to install a prog ?
+>>>>> Would it not make more sense to ask for the root password for the updates?
+>>>
+>>>> It is configurable in MCC. You can find it under Security =>  Configure
+>>>> authentication for Mageia Tools.
+>>>> Just select root for Update.
+>>>
+>>> Brilliant, thanks.
+>>>
+>>> But would it not make more sense to have the default changed to root ?
+>>
+>> That totally miss the point, which is that a upgrade hosed the system.
+>> Would requiring the root password have changed that ? I doubt.
+>>
+>> However, if the user cannot do upgrade without asking to someone else
+>> ( because that's the whole point of having 2 different passwords, else,
+>> that's just a nuisance that will confuse most people ), then he will
+>> likely miss security and bugfixes updates, and that's problematic.
+>
+> It's not clear if we are talking about installing updates only, or
+> upgrading to a new version of the distribution. Installing updates is
+> supposed to be safe and can be allowed by default with user password.
+> But upgrading to a new distribution is more dangerous and should
+> probably only be allowed with root password.
+>
+
+It should probably be some comfort that we do actually have a root account.
+If this were Ubuntu then it would require a bit more effort to lock down 
+than a choice in MCC :)
+