FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu User

 
 
LinkBack Thread Tools
 
Old 10-21-2011, 12:03 PM
Alan Pope
 
Default update manager no longer asking for password in 11.10 -

On 20 October 2011 08:47, Ants Pants <antsmailinglist@gmail.com> wrote:
> I've Googled and seen this bug submissions for this (update manager no
> longer asking for password in 11.10) but I have this problem too.
> Anyone else having problems with this? This is a big security hole.

Ok, I have spoken to Matthew Pitt who committed the change. I asked
what the rationale behind it was and where it was discussed. He
indicated that the recommendation to allow updates to
already-installed packages came from the Security Team. I contacted
Marc Deslauriers from the Ubuntu Security Team about it and here's his
response.

"The rationale was to make Ubuntu more secure by making security
updates easier to apply. If you're in the admin group, you already
have access to do so, the password prompt was an irritant that made
most people just press cancel instead of actually installing the
updates."

"malware cannot install additional software or anything. if malware
wants to install your security updates, I say go for it "

"it can easily be disabled by a sysadmin by creating a policykit file,
or simply by creating users that aren't in the admin group"

"there's another reason why we're doing it, we are trying to reduce
the number of password prompt that appear to user. so a password
prompt will make them stop and think about what they're doing, getting
a password prompt every single day for updates means people aren't
thinking about it anymore"

There's a brief line about it in the Security Team FAQ:-

https://wiki.ubuntu.com/SecurityTeam/FAQ#Update_Manager_doesn.27t_prompt_for_security_u pdates

In closing Marc suggested that anyone who wants to discuss this can
join #ubuntu-hardened on IRC and chat with the team there.

Cheers,
Al.

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 10-21-2011, 02:13 PM
R Kimber
 
Default update manager no longer asking for password in 11.10 -

On Fri, 21 Oct 2011 13:03:20 +0100
Alan Pope wrote:

> "there's another reason why we're doing it, we are trying to reduce
> the number of password prompt that appear to user. so a password
> prompt will make them stop and think about what they're doing, getting
> a password prompt every single day for updates means people aren't
> thinking about it anymore"

This seems an excellent development to me.

- Richard.
--
Richard Kimber
Political Science Resources
http://www.PoliticsResources.net/

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 10-21-2011, 04:51 PM
Ioannis Vranos
 
Default update manager no longer asking for password in 11.10 -

On Fri, Oct 21, 2011 at 3:03 PM, Alan Pope <alan@popey.com> wrote:
> On 20 October 2011 08:47, Ants Pants <antsmailinglist@gmail.com> wrote:
>> I've Googled and seen this bug submissions for this (update manager no
>> longer asking for password in 11.10) but I have this problem too.
>> Anyone else having problems with this? This is a big security hole.
>
> Ok, I have spoken to Matthew Pitt who committed the change. I asked
> what the rationale behind it was and where it was discussed. He
> indicated that the recommendation to allow updates to
> already-installed packages came from the Security Team. I contacted
> Marc Deslauriers from the Ubuntu Security Team about it and here's his
> response.
>
> "The rationale was to make Ubuntu more secure by making security
> updates easier to apply. If you're in the admin group, you already
> have access to do so, the password prompt was an irritant that made
> most people just press cancel instead of actually installing the
> updates."
>
> "malware cannot install additional software or anything. if malware
> wants to install your security updates, I say go for it "
>
> "it can easily be disabled by a sysadmin by creating a policykit file,
> or simply by creating users that aren't in the admin group"
>
> "there's another reason why we're doing it, we are trying to reduce
> the number of password prompt that appear to user. so a password
> prompt will make them stop and think about what they're doing, getting
> a password prompt every single day for updates means people aren't
> thinking about it anymore"
>
> There's a brief line about it in the Security Team FAQ:-
>
> *https://wiki.ubuntu.com/SecurityTeam/FAQ#Update_Manager_doesn.27t_prompt_for_security_u pdates
>
> In closing Marc suggested that anyone who wants to discuss this can
> join #ubuntu-hardened on IRC and chat with the team there.


These are OK, however my question is, with this authentication
mechanism (I think it is the "policykit" you are mentioning), having
us in its admin group, can a binary (trojan or virus) create its own
policykit cinfiguration files, without a password prompt?



--
Ioannis Vranos

http://www.cpp-software.net

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 

Thread Tools




All times are GMT. The time now is 08:28 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org