[Mageia-discuss] A possible risk ?

Wed Feb 8 17:31:37 CET 2012

On Wed, Feb 8, 2012 at 11:01 AM, Wolfgang Bornath
+<molch.b at googlemail.com> wrote:
+> 2012/2/8 Anne Wilson <annew at kde.org>:
+>> On Wednesday 08 February 2012 15:13:57 Anne Wilson wrote:
+>>> Yes, I have seen postings like "why do I have to use passwords" and
+>>> "why can I not log in KDE as root" more than once. Are these people
+>>> our target group? If so than - have fun! What strikes me is that you
+>>> of all people are advocating a loosening of security with no real
+>>> reason.
+>>
+>> I do not want to have to give the root password to members of my family that
+>> are, frankly, clueless on tech-matters.  At the same time, I do want them to
+>> apply at least security updates.  Being able to accept updates from a trusted
+>> source (direct from Mageia) with only their user password is the safest their
+>> systems can have.
+>
+> I understand the reasons. But you know as well as everybody else that
+> sometimes updates do not work as easy as they should. It could be
+> caused by a faulty mirror or by a glitch in a package (which should
+> not happen but "should not happen" implies "can happen") or whatever
+> other reason. Then your family members will wait for you anyway (in
+> the best case) without knowing what happened - while they could have
+> been happily working or entertaining themselves until you come and do
+> the updates.
+>
+> Apart from the understandable quest to make it easy on the unwashed
+> masses - it is still a security break - see what I have written about
+> the ability of xguest to do updates (while xguest was invented to
+> leave the system without garbage or damage at the end of his/her
+> session).
+>
+> --
+> wobo
+
+A bad update will break your system no matter if you are root or not.
+I think normal users should be able to install updates unless you say
+so in the MCC, but I agree that the xguest user should not be able to
+do so. That, imho, is a bug and should be solved.
+
+-- 
+Diego Bello Carreño
+