update manager no longer asking for password in 11.10 -
Alan Pope
alan at popey.com
Fri Oct 21 12:03:20 UTC 2011
On 20 October 2011 08:47, Ants Pants <antsmailinglist at gmail.com> wrote:
> I've Googled and seen this bug submissions for this (update manager no
> longer asking for password in 11.10) but I have this problem too.
> Anyone else having problems with this? This is a big security hole.
Ok, I have spoken to Matthew Pitt who committed the change. I asked
what the rationale behind it was and where it was discussed. He
indicated that the recommendation to allow updates to
already-installed packages came from the Security Team. I contacted
Marc Deslauriers from the Ubuntu Security Team about it and here's his
response.
"The rationale was to make Ubuntu more secure by making security
updates easier to apply. If you're in the admin group, you already
have access to do so, the password prompt was an irritant that made
most people just press cancel instead of actually installing the
updates."
"malware cannot install additional software or anything. if malware
wants to install your security updates, I say go for it :)"
"it can easily be disabled by a sysadmin by creating a policykit file,
or simply by creating users that aren't in the admin group"
"there's another reason why we're doing it, we are trying to reduce
the number of password prompt that appear to user. so a password
prompt will make them stop and think about what they're doing, getting
a password prompt every single day for updates means people aren't
thinking about it anymore"
There's a brief line about it in the Security Team FAQ:-
https://wiki.ubuntu.com/SecurityTeam/FAQ#Update_Manager_doesn.27t_prompt_for_security_updates
In closing Marc suggested that anyone who wants to discuss this can
join #ubuntu-hardened on IRC and chat with the team there.
Cheers,
Al.
More information about the ubuntu-users
mailing list