Well, using console input is indeed not allowed (Debian Policy 3.9.1),
the only sanctioned method is debconf. Since u-m intercepts debconf
questions and displays them in a separate dialog, most packages should
work fine without a r/w terminal.
However, that of course does not change the fact that a few packages
still use console input.
My argument that this is not the slightest bit of extra vulnerability
still stands, though. If you have the power to execute u-m through sudo,
and install packages, then anything lurking in the background can
execute stuff as root unnoticed, regardless of whether u-m has a
writeable terminal or not.
** Changed in: update-manager (Ubuntu)
Importance: Medium => Wishlist
Status: Unconfirmed => Confirmed
--
The build-in terminal is not set read-only
https://bugs.launchpad.net/bugs/43328
You received this bug notification because you are a member of Ubuntu
Bugs, which is the bug contact for Ubuntu.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
