Jump to content
newdog

Updating by user not Root

Recommended Posts

Hi,

I get the little info popup stating "Warning! Updates are available for your system."

and when I click on it I get "QUERY You are attempting to run "mandrivaupdate" which requires administrative privileges, but more information is needed in order to do so"

"Authenticating as 'myusername'"

It doesn't ask for the ROOT password.

 

Is this how 2009.0 does it? It seems wrong.

Share this post


Link to post
Share on other sites

Yes, by default the currently logged in user has the abitlity to apply updates (madness if you ask me), you can change this behaviour under the Security section in the Mandriva Contol Centre.

Share this post


Link to post
Share on other sites

This madness started back in 2008.1 or perhaps earlier.

It's not really that much of a security risk as it only uses update repositories setup by root and can only update already installed packages but yes it does go against everything I've learnt in my ten years of Linux use. :sad:

 

Ken

Share this post


Link to post
Share on other sites

Is this Mandriva moving towards a sudo setup like Ubuntu does?!? :unsure:

Share this post


Link to post
Share on other sites
This madness started back in 2008.1 or perhaps earlier.

It's not really that much of a security risk as it only uses update repositories setup by root and can only update already installed packages but yes it does go against everything I've learnt in my ten years of Linux use. :sad:

 

Ken

you rather have that security updates do not get installed?

Share this post


Link to post
Share on other sites
you rather have that security updates do not get installed?
I don't get that message from K Bergen's post! Maybe it's not much of a security risk, but it's definately an annoyance. I don't want other users to have the ability to install updates, especially as I like to use non-supported repositories. I know (most of the time) when not to apply updates that may break my system.

Share this post


Link to post
Share on other sites

Hello FFI.

 

I could be wrong but I think you have misunderstood Kens comment. I don't think that is what he inferred at all. In fact I think he is saying that while user instigated updates may be OK normally he thinks it is a bad idea in the long term and runs against the best security practices of the past. On that I agree with him.

 

Cheers. John.

Share this post


Link to post
Share on other sites
I don't get that message from K Bergen's post! Maybe it's not much of a security risk, but it's definately an annoyance. I don't want other users to have the ability to install updates, especially as I like to use non-supported repositories. I know (most of the time) when not to apply updates that may break my system.

this is not a problem as only updates in /updates are reported in the update applet, not newer versions from other repos

Share this post


Link to post
Share on other sites
this is not a problem as only updates in /updates are reported in the update applet, not newer versions from other repos
I disagree. It is a problem when the proposed updates conflict with what I already have installed. I recently had an episode where applying the updates recommended by the applet stripped away elements of my KDE4.2 desktop and broke it. Thankfully it wasn't too much of a problem to rectify. This breakage was limited to one system because I made sure I am the only one authorised to apply updates. I certainly don't want to be doing repairs to all of my computers because those who don't know any better have applied updates that break my system.

Share this post


Link to post
Share on other sites
Is this Mandriva moving towards a sudo setup like Ubuntu does?!? :unsure:

 

I believe the idea is borrowed from Ubuntu's updater. However, things are worse in Mandriva, as in Ubuntu you do have to provide your user password to do the updates (unless you have visudo-ed before and uncommented some "USER_NAME ALL=(ALL) ALL" line in there, that is).

Share this post


Link to post
Share on other sites
..However, things are worse in Mandriva, as in Ubuntu you do have to provide your user password to do the updates..
I fail to see how the Mandriva way is worse. The logged in user still has to provide a password. If they are following the *buntu model then I urge them to abandon it now. Don't encourage security sloppiness for the sake of convenience. Edited by {BBI}Nexus{BBI}

Share this post


Link to post
Share on other sites

Actually I find nothing wrong with the Mandriva model on a single user machine as in that case you are probably also the system administrator.

 

But and a big BUT it should not be enabled by default.

The first time you click on the update icon you should be asked if you want a regular user to be able to install updates and be asked for the root password to enable that feature.

 

Ken

Share this post


Link to post
Share on other sites
Don't encourage security sloppiness for the sake of convenience.

 

Using sudo is not security sloppiness. It's by far better to give someone partial admin access for things they need to do via sudo, rather than give them the full root password. Providing of course, that sudo is configured properly in the first place.

 

And I'm not particular referring to Ubuntu, but sudo in general.

Share this post


Link to post
Share on other sites
Using sudo is not security sloppiness. It's by far better to give someone partial admin access for things they need to do via sudo, rather than give them the full root password. Providing of course, that sudo is configured properly in the first place.

 

And I'm not particular referring to Ubuntu, but sudo in general.

I wasn't arguing the merits of using sudo. I'm referring to the ridiculous situation where by default in Mandriva any user can apply updates. I'm glad you added: 'Providing of course, that sudo is configured properly in the first place.' As it is in *buntu as long as I know at least one users password I could wreak havoc using sudo anyway.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...