[Mageia-discuss] A possible risk ?

Wed Feb 8 23:11:58 CET 2012

Wolfgang Bornath a écrit :
+> 2012/2/8 Sander Lepik<sander.lepik at eesti.ee>:
+>    
+>> 08.02.2012 13:47, Renaud (Ron) Olgiati kirjutas:
+>>
+>>      
+>>> Brilliant, thanks.
+>>>
+>>> But would it not make more sense to have the default changed to root ?
+>>>        
+>> Updates shouldn't break system and so i think they should be enabled for
+>> normal users. Upgrades is something else and should be disabled for normal
+>> users. You can report bug about this problem.
+>>      
+> Last November I setup my normal Mageia system to auto-boot into xguest
+> so visitors at the Mageia stand at an exhibition can try out Mageia. I
+> was surpised and shocked when I watched the update icon light up and
+> the visitor could perform this update as xguest! This IS a risk no
+> matter whether an update breaks a system or not. After I saw this the
+> first thing I did was su into root and change the permission setting
+> for updates.
+>
+> This is one thing where security was broken for ease of use.
+>
+>    
+I would say that a good way to solve that is to not permit updates from 
+an account that doesn't require a password, such as is the case (usually 
+if not always) with xguest.
+
+So defaults being
+1) release upgrades requiring root password.
+2) package updates requiring user password.
+3) if current account requires not password, no update.
+
+Wouldn't that satisfy security concerns ?
+
+-- 
+André
+
+