On Sun, Apr 5, 2009 at 1:23 AM, Matt Wheeler <m...@funkyhat.org> wrote: > 2009/4/4 Nils Kassube <kass...@gmx.net>: >> >> If you don't trust update-manager you would have to check everything >> after an update. I don't think anybody will do that even after >> providing the password. Most users don't even know what to look for to >> check the system. > > That's not the point I'm trying to make. Maybe it's not as big an issue as I > think, but I meant if update-manager had any possibility of crashing then > perhaps a malicious user/program could use it to escalate privilieges (I've > personally found 1 or 2 root escalation bugs in GDM for example, how would > we guarantee not to have the same problems here)?
Adding something like %sudo ALL=NOPASSWD: aptitude update to the sudoers gives almost the right rights. If there is no user input into aptitude, then this does not add any new such security holes. However, Update-manager allows the user to unselect updates. So to allow non-root users to do a selective upgrade, we'd have to pass in the packages to update, running a risk that these package names are malicious and cause Update-manager to do something bad. I imagine this risk could be made quite small Still, an overnight auto-update seems like a sensible default for novice users who don't need or want to know what an update is. This is what I set my computer too when I am overseas and leave my computer on for family to use. -- John C. McCabe-Dansted PhD Student University of Western Australia -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss