Re: Embarrassing security bug in systemd
On Sat 09 Dec 2017 at 10:12:16 +0000, Joe wrote:
> On Fri, 8 Dec 2017 23:56:44 +0000
> Brian <ad44@cityscape.co.uk> wrote:
>
> > On Fri 08 Dec 2017 at 23:06:00 +0000, Joe wrote:
> >
> > > On Fri, 8 Dec 2017 17:12:18 -0500
> > > Cindy-Sue Causey <butterflybytes@gmail.com> wrote:
> > >
> > > >
> > > > I do remember having to give a password, but I don't remember how
> > > > long ago now. And I have too much open right now to test drive
> > > > whether mine does it or not these days.. :)
> > > >
> > > As I did the other day. I've tried it now (up-to-date unstable) and
> > > it works for a non-root user.
> >
> > Without policykit-1 installed it doesn't; no rebooting or powering
> > off with /sbin/reboot or /sbin/poweroff for a user. CTRL+ALT+DEL
> > from a terminal reboots. That's the same behaviour as sysvinit.
> >
>
> Yes, I understand that, the point is that the first installation of
> policykit-1, which I did not explicitly request, did not ask me if I
> wanted non-root users to be able to reboot, or indeed about anything
> else it might control. Not that it matters on any of my machines, I'd
> just like to have been told that it was changing, and given the option
> to keep it as it was had I needed to.
The Terms and Conditions of installing a Debian package include (as
I'm sure you are aware) accepting the Depends: and Recomends: lines.
What is in these lines can be accepted or rejected and, in the case
of Recommends:, adjusted to suit your needs. Installing the package
necessarily involves making an explicit request for other packages.
Being asked about choices on installing policykit would probably have
involved a patch for the package and a debconf notice informing users
about this and other changes over previous system behaviour. Apart
from the notice perhaps getting involved, the option to keep previous
behaviour would be of no importance to new users.
--
Brian.
Reply to: