update-manager not asking for authentication in Oneiric Beta

Colin Law clanlaw at googlemail.com
Thu Sep 15 11:11:39 UTC 2011

On 15 September 2011 10:53, Alan Pope <alan at popey.com> wrote:
>> 2. I thought that one of the principles of Linux that makes it much
>> less open to attack is that one cannot write to system areas of disk
>> without authentication.  How is it then that update manager is able to
>> do this (whether by accident or design) without authentication?
> You have authentication. You logged in with a username and password.
> You're also (probably) sat at the machine. So when update manager
> appears, chances are it's you (and not someone else) who sees it and
> proceeds with the update.

Normally if I run an app, or a command from the terminal, that
attempts to write to the system area on disk, it that is not allowed.
Hence I have to use sudo with apt-get upgrade.  How is it that I can
use update-manager to do that, but not apt-get?

> If someone else is at your machine and doing malicious things to
> update manager (is updating a machine malicious?) then all bets are
> off anyway, because you've given someone else physical access to your
> computer. They could screw up your system much more easily and more
> comprehensively than update manager could ever hope to.

I thought the fact that I could not write to the system area without
re-authentication was one of the features that made Linux less
vulnerable to viruses and so on.  What is it that allows
update-manager to do that but not a virus or other malware?  You may
already have answered that question above.



More information about the ubuntu-users mailing list