Looking at Package Management for Karmic or Karmic+1
John McCabe-Dansted
gmatht at gmail.com
Sun Apr 5 11:15:20 UTC 2009
On Sun, Apr 5, 2009 at 1:23 AM, Matt Wheeler <m at funkyhat.org> wrote:
> 2009/4/4 Nils Kassube <kassube at gmx.net>:
>>
>> If you don't trust update-manager you would have to check everything
>> after an update. I don't think anybody will do that even after
>> providing the password. Most users don't even know what to look for to
>> check the system.
>
> That's not the point I'm trying to make. Maybe it's not as big an issue as I
> think, but I meant if update-manager had any possibility of crashing then
> perhaps a malicious user/program could use it to escalate privilieges (I've
> personally found 1 or 2 root escalation bugs in GDM for example, how would
> we guarantee not to have the same problems here)?
Adding something like
%sudo ALL=NOPASSWD: aptitude update
to the sudoers gives almost the right rights. If there is no user
input into aptitude, then this does not add any new such security
holes.
However, Update-manager allows the user to unselect updates. So to
allow non-root users to do a selective upgrade, we'd have to pass in
the packages to update, running a risk that these package names are
malicious and cause Update-manager to do something bad. I imagine this
risk could be made quite small
Still, an overnight auto-update seems like a sensible default for
novice users who don't need or want to know what an update is. This is
what I set my computer too when I am overseas and leave my computer on
for family to use.
--
John C. McCabe-Dansted
PhD Student
University of Western Australia
More information about the Ubuntu-devel-discuss
mailing list