Web lists-archives.com

Re: Security hole in LXDE?

On Tue 28 Feb 2017 at 11:02:14 (+0100), Hans wrote:
> I am not sure, if I some day allowed the normal user to start synaptic as a 
> normal user. Sometimes this option is offered at the first start.

I wouldn't know how to _prevent_ and ordinary user from running
synaptic by typing /usr/sbin/synaptic, unless you had them running in
some sort of restricted shall. Synaptic is obviously designed to be
run by unprivileged users which is why it has that dialog box warning.

> If I have done this (which I was at that moment wiling to do), where do I have 
> to look, to make this thing back to normal?
> Please note, that I am not using sudoers, but I am sure, I am using either 
> kdesu or gksudo. As I am a mostly using KDE, I bet, kdesu is the one, where I 
> might have to look for as IMO this one is the thing, that might be responsible 
> for the rights.  But where do I have to look then? 

Yes, I agree that the clue is in your DE. I'm a WM person (fvwm)
and use sudoers for allowing me to do a few things like kicking
exim and changing timezones. Joe and Pontus may be more help
in at least having the configuration files to look at.

My assumption would be to look at the DE's configuration in
/etc as you wouldn't expect a user to be able to confer this privilege
on themselves. Are you user 1000? Did you gain privileges merely
through being the first user at installation time? Could that be
normal? Not for Pontus it seems.

Just as, by default, you can gain privileges by being the person
seated at the computer, so it might make some sort of sense for the
first user to have certain privileges granted to them for
administrating the DE. After all, you wouldn't want to run X as
root, let alone a whole DE. My own working practice is a root
shell inside an xterm (and my tools aren't gui), but that doesn't
fit with how a DE runs things. I assume your problem lies in a
helper, which picks up privileges, somewhere between the icon
(or menu choice) and the synaptic binary itself. How it might have
got changed, I don't know.