[wpkg-users] How do you handle 'plugins' e.g. Flash etc?

[Rainer Meier]

Hi Marco,

Marco Gaiarin wrote:
> Whenever possible, i remove the auto update features of these
> softwares.
> 
> Other then that... my users have least privilege available (Users
> group) on the machine, so pratically they can't upgrade. ;)

This is what I do usually as well for managed installations. However if you set
up machines which will be used by private users (not further managed by WPKG) or
if users will not join your network for an update for a long time then it might
be required to allow users to upgrade on their own. Especially if the fixes are
security-relevant.

In practice "normal" users are anyway not performing the upgrades and giving
them only local "user" rights ensures much more security than giving
administrator privileges. Most security-related vulnerabilities allow to take
over a user process which gives the attacking party user permissions on the
system. It's unlikely that an intruder spends a lot of time to find another
security hole to get administrator privileges.

So my personal experience showed that working without administrator privileges
and using outdated programs is more secure than working with administrator
privileges but keeping programs up-to-date. Working without administrator
privileges protects from both, known and unknown vulnerabilities.

Of course the best approach is to use just user privileges AND keeping the
programs up-to-date :-). Unfortunately this imposes some effort on
administrators and testing.

So the approach to change the checks that they are still "true" for upcoming
versions is not a bad approach in general. The good thing is that WPKG supports
you no matter which approach you follow.


br,
Rainer