Re: [Ayatana] Possible security risk with update-manager

To: Scott Kitterman <ubuntu@xxxxxxxxxxxxx>

Subject: Re: [Ayatana] Possible security risk with update-manager

From: "Scott E. Armitage" <launchpad@xxxxxxxxxxxxxxxxxxx>

Date: Tue, 15 Dec 2009 09:21:10 -0500

Cc: Ayatana List <ayatana@xxxxxxxxxxxxxxxxxxx>

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to:cc :content-type; bh=LKiy0vuBVNL3sI4MhEXBv/k+pH+w/sDzCNKKMvPmd8k=; b=WlQUJ9kBCRM1E3yG/SONpQ5MgevEfeMgtaMv40xnU1Gz7x/KRwc9b7rXQlnTykITA2 JbwSgod3e2h0X3EsGAtOi7a+B7F1jZELsVKzDJqz7XvreSYLYy4tj6HM7xe5zDh9H/s/ Mfaz8pBwIMJbVd/B6ZeOQJ5swy0v1CDhtVlJo=

Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; b=j/mg9S3bY7FsfGoL7eayAXAjCIwUirWqYQzNKLxnLD3CFm3P8ZaebuPLTp35QFxCFg n4FXD1Y5lxr2qpxO2myS0UKEQnVW3rbvIxQwuXVIzxNKp3niX9hZPrB/OEOIi3Ov5iP9 pJLBA2ad2AKAFknrMq2ZZbYzAKQex6DW0/k68=

In-reply-to: <48382-SnapperMsgD8DB99B6C74D456F@75.226.87.75>

List-archive: <http://lists.launchpad.net/ayatana>

List-help: <https://help.launchpad.net/ListHelp>

List-id: <ayatana.lists.launchpad.net>

List-owner: <https://launchpad.net/~ayatana>

List-post: <mailto:ayatana@lists.launchpad.net>

List-subscribe: <https://launchpad.net/~ayatana>

List-unsubscribe: <https://launchpad.net/~ayatana>

References: <b3f53d90911181258u7bc62900v3b696b7401386687@mail.gmail.com> <4B26381B.7040709@canonical.com> <1260867058.2125.102.camel@vish-laptop> <eba6d2300912150115x4ca25233jd29cc6cca82b70a2@mail.gmail.com> <1260870273.2125.116.camel@vish-laptop> <48320-SnapperMsgD8DB99B6C74D3146@75.226.87.75> <6e3476780912150431t1cbba508g2c4d52e848c21c07@mail.gmail.com> <48382-SnapperMsgD8DB99B6C74D456F@75.226.87.75>

Sender: scott.armitage@xxxxxxxxx

Second, the difference is that automated updates would happen no matter what, whereas all an administrator would have to do to prevent other users from installing updates would be to not allow them to access the computer under an administrator account. If an administrator gave another user access to her admin account, then under that scheme, she would be granting that user authorization to install updates.

-S

On Tue, Dec 15, 2009 at 8:53 AM, Scott Kitterman <ubuntu@xxxxxxxxxxxxx> wrote:

On Tue, 15 Dec 2009 07:31:37 -0500 "Scott E. Armitage"
<launchpad@xxxxxxxxxxxxxxxxxxx> wrote:
>I don't think that mac_v is proposing /automated/ updates, so much as he is
>proposing that the current update scheme should not require the
>administrator's password. The administrator would still be notified of new
>updates as they are now, and they would have to decide when to download and
>install the updates, however they would no longer have to confirm their
>administrator status prior to update installation.

How do you confirm adminstrative authorization then? Whether installed by
non-admins or automatically is just a variant of not under the
adminstrator's control.

Scott K

_______________________________________________
Mailing list: https://launchpad.net/~ayatana
Post to : ayatana@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~ayatana
More help : https://help.launchpad.net/ListHelp

--
Scott Armitage, B.A.Sc., M.A.Sc. candidate
Space Flight Laboratory
University of Toronto Institute for Aerospace Studies
4925 Dufferin Street, Toronto, Ontario, Canada, M3H 5T6