[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ayatana] Possible security risk with update-manager



2009/12/15 mac_v <drkvi-a@xxxxxxxxx>:
> If someone other than the user is having access to a user account ,
> there are bigger concerns than the guest updating the system.
>

Sure, but the topic of conversation is update manager, not "local
access is bad, all bets are off".

> The guest[in this case the child] could delete important work files and
> do more damage.

Sure they could, but again the topic is Update Manager and whether
operation of it should require an authentication token.

> Why is updating harmful?

I can think of a few reasons:-

1) I'm in the middle of work and don't want firefox to become unstable
as it does after an update
2) I'm running current_stable_release-1 and don't want someone to hit
the "There's a new release available, upgrade!" to take me to the next
release
3) I am running a development release and want to be careful about
which updates I put in as I am testing.
4) After an update I don't want a dialog box kicking around in the
middle of my screen offering to "Reboot now" with a 3 year old kid at
the wheel.

Whilst this isn't a usual scenario, yes I should lock my machine, the
whole point of using a password on Update Manager for me is to prevent
someone other than the system admin (whoever that is) from doing "bad
things" to the _system_, not my data.

> Well , parental control is a different issue. But when we are dealing
> with user accounts  , why bother users for passwords.
>

I'm not saying parental controls is the prime driver, I was merely
using that as an example of a non admin user wanting a system level
change to the computer, and the authentication being done without
having to:-

a) switch to another logon (time consuming, resource intensive)
b) switch to a console (not friendly)

Cheers,
Al.