PDA

View Full Version : [ubuntu] Update Manager doesn't ask for passwd



hakermania
October 22nd, 2011, 07:25 AM
Yes, and that's have happened twice actually, it installs the stuff without asking for passwd.

And no, I haven't given it any recently, to be more specific, my pc is on doing a specific task and I haven't touched it 2 days now and now I decided to see for updates and it didn't ask me for passwd. What's going on ;) ?

11.10

lovbuntu
October 22nd, 2011, 07:49 AM
Yes, and that's have happened twice actually, it installs the stuff without asking for passwd.

And no, I haven't given it any recently, to be more specific, my pc is on doing a specific task and I haven't touched it 2 days now and now I decided to see for updates and it didn't ask me for passwd. What's going on ;) ?

11.10

I guess they did it like that so users can easily get updates

hakermania
October 22nd, 2011, 08:57 AM
No, I don't get it, this should be a security vuln, it installs stuff without my passwd, 1st time now in 2 years.

Soul-Sing
October 22nd, 2011, 11:47 AM
it seems to be the new update-policy in 11.10. There are several "bug reports" on launchpad.

dfarrell07
October 25th, 2011, 04:29 AM
Interesting that apt-get update/upgrade still requires sudo, if this is a new 'policy.' Passwords ftw, I say.

roton
October 25th, 2011, 05:57 AM
I noticed this too. Much prefer there to be a password.

Larkspur
October 25th, 2011, 08:15 AM
Where's the security risk? You installed the stuff that's being updated. Only the administrator can update, so there's no problem with standard users.

The Cog
October 25th, 2011, 08:23 PM
Where's the security risk? You installed the stuff that's being updated. Only the administrator can update, so there's no problem with standard users.
I confirm that non-admin users don't get offered the chance to upgrade - I just got the chance to check that with the latest round of updates. It still "feels" wrong to me, but I can't think if a good logical reason why.

hakermania
October 26th, 2011, 10:23 PM
Where's the security risk? You installed the stuff that's being updated. Only the administrator can update, so there's no problem with standard users.

Well, as I though it:
If A is allowed to use B for opening the door then C may also use B for killing you :P

For example, somebody may as well trick the system that a package is on the updates and install a malicious package as well (dunno if possible, just saying).
If there's a way of installing *some* way of packages without passwd then there should be a way to install *all* the packages without passwd with some kind of trick.
Well, that's the security risk in which I referred to, a possible security risk.:P

bruno9779
November 1st, 2011, 04:26 AM
:shock::shock::shock:

I am not liking the direction Ubuntu is going...

I don't want to start a flame war, but this just feels too Windows for my taste.

crazyguy510
November 2nd, 2011, 08:51 PM
Well, as I though it:
If A is allowed to use B for opening the door then C may also use B for killing you :P

For example, somebody may as well trick the system that a package is on the updates and install a malicious package as well (dunno if possible, just saying).
If there's a way of installing *some* way of packages without passwd then there should be a way to install *all* the packages without passwd with some kind of trick.
Well, that's the security risk in which I referred to, a possible security risk.:P

I may be way off, but I'm not sure this is possible. The update manager only draws from the sources that you allow in synaptic package manager. To install completely new packages, or modify and add sources to synaptic package manager, you would still need a root password. So I would assume that the only way this would pose a problem is if there was a breach on the sources server. I don't quite know how a typical source pushes out an update to their software on a Linux distro, but I've never heard of this as a widespread problem.

I will say that true security is very rarely convenient, and this certainly ups the level of convenience.