unity-design team mailing list archive
-
unity-design team
-
Mailing list archive
-
Message #00921
Re: Possible security risk with update-manager
-
To:
ayatana@xxxxxxxxxxxxxxxxxxx
-
From:
Chow Loong Jin <hyperair@xxxxxxxxx>
-
Date:
Wed, 16 Dec 2009 02:26:05 +0800
-
In-reply-to:
<1260889080.2125.254.camel@vish-laptop>
-
User-agent:
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.7pre) Gecko/20091214 Shredder/3.0.1pre
On Tuesday 15,December,2009 10:58 PM, mac_v wrote:
>[...]
> With policykit we can set up the admin account to be granted access to
> admin privileges without password-prompts [ex:mounting internal
> drives] , similar can probably be done for updates.
>
> The present policy of asking for password isnt really very ideal for a
> non-tech user.
> The user just doesnt know or understand what the updates are for and
> installs the updates blindly. Asking for password doesnt solve anything
> here.
>
> For the users who know about the update they check and install the
> update. Prompting the password isnt solving anything here either.
>
> So, prompting for passwords in the common user-scenarios isnt solving
> anything.
> So why are we prompting for passwords? How is the present behavior
> helping or solving anything or ensuring better the security of the
> system?
I can't speak for anyone else here, but I am personally not comfortable at all
with the idea of the ability to make system-wide changes without requiring my
password. I believe it was mentioned earlier in this thread that in real life,
people do walk away from their computers without locking their screens. In the
event that I do walk away from my computer without locking my screen, I'd like
the possible/probable damage of someone randomly clicking around minimized.
>
> Or are you asking , how we can confirm that the user using the admin
> account is actually the admin and not a guest user?
>
> This is a scenario where the admin trusts the guest enough to use the
> admin account and doesnt mind.
I trust my guests to use my account with administrative privileges for short
periods of time as long as privilege escalation still requires my password as it
does now. But if it doesn't, I *DO* mind, and I don't believe I'm the only one
who feels this way.
>
> Or if the user is concerned about guests installing the updates , they
> could just remove the policykit rule and always be prompted for
> passwords.
In other words, you're proposing for passwordless privilege escalation by
default, and I believe this is foolish. How far do you want to chip away at
Ubuntu's security model before you are satisfied that it is usable enough?
Usability and security have always been and will probably continue to always be
at odds with each other. If we continue forsaking security for usability, we'll
eventually have something akin to Windows in terms of security. If Ubuntu ever
comes to this, I certainly hope I'm not around to see it.
--
Kind regards,
Chow Loong Jin
Attachment:
signature.asc
Description: OpenPGP digital signature
References