Re: Embarrassing security bug in systemd
On Fri, 8 Dec 2017 17:12:18 -0500
Cindy-Sue Causey <butterflybytes@gmail.com> wrote:
>
> I do remember having to give a password, but I don't remember how long
> ago now. And I have too much open right now to test drive whether mine
> does it or not these days.. :)
>
As I did the other day. I've tried it now (up-to-date unstable) and it
works for a non-root user.
> I do understand everyone's rationale for why they like or dislike
> either way. Something I did *not* understand when I saw it in
> operation was why a password was needed at the terminal but not from
> within the GUI's "Applications > Log Out" menu path.
>
Yes, it's not so much *what* happens, as how it's different now than it
was, and how few regular Debian users seemed to know about it. Only the
developers seemed to be aware of the issue. As I said, I do glance
through changelogs to look for real gotchas that affect me (not really
many of them) and I don't recall seeing a warning about this. And it
*should* have been a warning, not just a tiny footnote, because it's a
[small] security measure being turned off by default. That shouldn't
happen during an upgrade without a reasonable attempt to warn users.
> I think I finally came to the (potentially misguided) a-sumption that
> one rationale *might* have something to do with having to sit here in
> person to click the GUI's menu path but maybe not for the terminal
> and/or other (?) hackable routes....... :)
I think there's a case for asking which way to set it during an expert
install or during the upgrade that reversed the default setting. We are
asked about root/non-root permission for the man pages.
--
Joe
Reply to: