newdog Posted March 28, 2009 Report Share Posted March 28, 2009 Hi, I get the little info popup stating "Warning! Updates are available for your system." and when I click on it I get "QUERY You are attempting to run "mandrivaupdate" which requires administrative privileges, but more information is needed in order to do so" "Authenticating as 'myusername'" It doesn't ask for the ROOT password. Is this how 2009.0 does it? It seems wrong. Quote Link to comment Share on other sites More sharing options...
{BBI}Nexus{BBI} Posted March 28, 2009 Report Share Posted March 28, 2009 Yes, by default the currently logged in user has the abitlity to apply updates (madness if you ask me), you can change this behaviour under the Security section in the Mandriva Contol Centre. Quote Link to comment Share on other sites More sharing options...
newdog Posted March 28, 2009 Author Report Share Posted March 28, 2009 Thanks for that. Now asks for Root password. Quote Link to comment Share on other sites More sharing options...
K Bergen Posted March 29, 2009 Report Share Posted March 29, 2009 This madness started back in 2008.1 or perhaps earlier. It's not really that much of a security risk as it only uses update repositories setup by root and can only update already installed packages but yes it does go against everything I've learnt in my ten years of Linux use. :sad: Ken Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted March 29, 2009 Report Share Posted March 29, 2009 Is this Mandriva moving towards a sudo setup like Ubuntu does?!? :unsure: Quote Link to comment Share on other sites More sharing options...
ffi Posted March 29, 2009 Report Share Posted March 29, 2009 This madness started back in 2008.1 or perhaps earlier.It's not really that much of a security risk as it only uses update repositories setup by root and can only update already installed packages but yes it does go against everything I've learnt in my ten years of Linux use. :sad: Ken you rather have that security updates do not get installed? Quote Link to comment Share on other sites More sharing options...
{BBI}Nexus{BBI} Posted March 29, 2009 Report Share Posted March 29, 2009 you rather have that security updates do not get installed?I don't get that message from K Bergen's post! Maybe it's not much of a security risk, but it's definately an annoyance. I don't want other users to have the ability to install updates, especially as I like to use non-supported repositories. I know (most of the time) when not to apply updates that may break my system. Quote Link to comment Share on other sites More sharing options...
AussieJohn Posted March 29, 2009 Report Share Posted March 29, 2009 Hello FFI. I could be wrong but I think you have misunderstood Kens comment. I don't think that is what he inferred at all. In fact I think he is saying that while user instigated updates may be OK normally he thinks it is a bad idea in the long term and runs against the best security practices of the past. On that I agree with him. Cheers. John. Quote Link to comment Share on other sites More sharing options...
ffi Posted March 29, 2009 Report Share Posted March 29, 2009 I don't get that message from K Bergen's post! Maybe it's not much of a security risk, but it's definately an annoyance. I don't want other users to have the ability to install updates, especially as I like to use non-supported repositories. I know (most of the time) when not to apply updates that may break my system. this is not a problem as only updates in /updates are reported in the update applet, not newer versions from other repos Quote Link to comment Share on other sites More sharing options...
{BBI}Nexus{BBI} Posted March 29, 2009 Report Share Posted March 29, 2009 this is not a problem as only updates in /updates are reported in the update applet, not newer versions from other reposI disagree. It is a problem when the proposed updates conflict with what I already have installed. I recently had an episode where applying the updates recommended by the applet stripped away elements of my KDE4.2 desktop and broke it. Thankfully it wasn't too much of a problem to rectify. This breakage was limited to one system because I made sure I am the only one authorised to apply updates. I certainly don't want to be doing repairs to all of my computers because those who don't know any better have applied updates that break my system. Quote Link to comment Share on other sites More sharing options...
scarecrow Posted March 29, 2009 Report Share Posted March 29, 2009 Is this Mandriva moving towards a sudo setup like Ubuntu does?!? :unsure: I believe the idea is borrowed from Ubuntu's updater. However, things are worse in Mandriva, as in Ubuntu you do have to provide your user password to do the updates (unless you have visudo-ed before and uncommented some "USER_NAME ALL=(ALL) ALL" line in there, that is). Quote Link to comment Share on other sites More sharing options...
{BBI}Nexus{BBI} Posted March 29, 2009 Report Share Posted March 29, 2009 (edited) ..However, things are worse in Mandriva, as in Ubuntu you do have to provide your user password to do the updates..I fail to see how the Mandriva way is worse. The logged in user still has to provide a password. If they are following the *buntu model then I urge them to abandon it now. Don't encourage security sloppiness for the sake of convenience. Edited March 29, 2009 by {BBI}Nexus{BBI} Quote Link to comment Share on other sites More sharing options...
K Bergen Posted March 29, 2009 Report Share Posted March 29, 2009 Actually I find nothing wrong with the Mandriva model on a single user machine as in that case you are probably also the system administrator. But and a big BUT it should not be enabled by default. The first time you click on the update icon you should be asked if you want a regular user to be able to install updates and be asked for the root password to enable that feature. Ken Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted March 30, 2009 Report Share Posted March 30, 2009 Don't encourage security sloppiness for the sake of convenience. Using sudo is not security sloppiness. It's by far better to give someone partial admin access for things they need to do via sudo, rather than give them the full root password. Providing of course, that sudo is configured properly in the first place. And I'm not particular referring to Ubuntu, but sudo in general. Quote Link to comment Share on other sites More sharing options...
{BBI}Nexus{BBI} Posted March 30, 2009 Report Share Posted March 30, 2009 Using sudo is not security sloppiness. It's by far better to give someone partial admin access for things they need to do via sudo, rather than give them the full root password. Providing of course, that sudo is configured properly in the first place. And I'm not particular referring to Ubuntu, but sudo in general. I wasn't arguing the merits of using sudo. I'm referring to the ridiculous situation where by default in Mandriva any user can apply updates. I'm glad you added: 'Providing of course, that sudo is configured properly in the first place.' As it is in *buntu as long as I know at least one users password I could wreak havoc using sudo anyway. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.