Fedora 22 update security

Christian Schaller cschalle at redhat.com
Wed May 13 15:14:13 UTC 2015





----- Original Message -----
> From: "Josh Boyer" <jwboyer at fedoraproject.org>
> To: "Discussions about development for the Fedora desktop" <desktop at lists.fedoraproject.org>
> Sent: Wednesday, May 13, 2015 10:27:23 AM
> Subject: Re: Fedora 22 update security
> 
> On Wed, May 13, 2015 at 10:00 AM, Bastien Nocera <bnocera at redhat.com> wrote:
> >
> >
> > ----- Original Message -----
> >> Actually that should not an issue since we only do offline updates,
> >> so there is no chance of one user updating software while
> >> another is using it.
> >
> > And only admin users can reboot the machine while other users are using
> > it...
> 
> Even in that scenario I'm don't believe allowing non-admin users to
> apply updates is the correct thing to do.  I mean, your friend is over
> and turns on your laptop and logs into the non-admin account he
> created.  He sees updates and says to apply them (via offline updates
> or not).  He reboots the machine since he's the only logged in user.
> Now you have a bunch of updates applied that you didn't know about the
> next time you log in.
> 
> This really seems like a bad idea to me.
> 
Well I guess it comes down to who we design the default install experience
towards. My take is that our primary target is people on single user system
with the idea being that people in more complex setups would be installing
using kickstarts and similar and thus be able to tweak the configuration
of such systems to suit their requirements (what tooling we offer or lack of such 
for helping with such tweaking is another debate).

So even in the single user scenario I can see that examples as the one you mentioned
can happen, but I can't help but feel that the problem here is with your friend and
not the system for assuming he should feel free to update your machine without 
asking you. 

That said this is not a major issue to me as the default behaviour should be here
that the first user created on a system should be in the wheel group (which we need
to fix as this does not happen if you set up your user using Anaconda, but it is the case
if you set up your user using the GNOME initial install wizard.)

Christian



More information about the desktop mailing list