Web lists-archives.com

Re: Security hole in LXDE?




On Tue 28 Feb 2017 at 12:31:00 (+0000), GiaThnYgeia wrote:
> As a user and as I understand it you should not be able to make
> system-wide changes and many packages affect other parts of the system.
> A user can install and run any package that does not affect the system,
> as a stand alone.  The system is a whole must be maintained by the
> sysadmin for all users.  That is my simplistic understanding.
> Unless it is specifically configured otherwise I don't see why these
> assumptions would be wrong.  Imagine if I like MATE and the other user
> likes X11 and I delete x11 and install MATE, or I install a package that
> has dependency conflicts and replaces what is essential for the other
> users' packages.
> 
> Live systems allow you to install whatever you like as they assume you
> are the root or sysadmin.
> 
> At least that is how I understand security policy for this system.

Apart from not understanding what you mean by "installing packages as
a stand alone", that all looks fine. My post merely demonstrated that
synaptic is not unusual in being runnable by ordinary users. So your
inability, and the need for a password, lies outside synaptic and in
the realm of the DE, which set up the icon or menu that you use to
the exclusion of other methods. In a sense my post was just a gloss
on Jonathan Dowland's post.

So why did I comment on _your_ post? Only days ago, I mentioned
someone's old d-u assertions that you couldn't run aptitude as an
ordinary user, which is not true. I didn't want your statement to
give people the same false impression anout synaptic, especially
as that someone uses synaptic.

Both aptitude and synaptic can run by an ordinary user, and it's a
very safe way to run them when you don't yet fully understand their
abilities.

> David Wright:
> > On Mon 27 Feb 2017 at 11:13:00 (+0000), GiaThnYgeia wrote:
> >> testingAmd64LXDE
> >>
> >> I have never, not once, been able to run synaptic in any similar system
> >> without a root or a sudo password.  Not to execute a command, just to
> >> get the gui up you need a password.
> > 
> > Why would that be? You should be able to do so. There's a popup
> > window that says this:
> > 
> >   Starting "Synaptic Package Manager" without administrative privileges
> > 
> >   You will not be able to apply any changes, but you can still export
> >   the marked changes or create a download script for them.
> > 
> > I can select packages, look at their properties, dependencies,
> > installed files, get changelogs etc. I can edit some of the
> > preferences. I can see the immediate effects of that in files
> > like ~/.synaptic/synaptic.conf when I click OK. I can select
> > packages for installation and it will write a little script
> > for me:
> > 
> >  #!/bin/sh
> >  wget -c
> >  http://ftp.us.debian.org/debian/pool/non-free/i/ibm-3270/3270-common_3.3.14ga11-1_i386.deb
> > 
> > So it suggests that the OP has set something in their system
> > to cause the behaviour they observe, both the popup and the
> > fact that a user's password is sufficient for installing software.
> > 
> > I can run (the similar program) aptitude likewise. The main differences
> > with synaptic are that aptitude is in the user's normal PATH (whereas
> > synaptic is in /usr/sbin); when you try to install, it asks you to
> > consider becoming root from the Actions menu; and if you persist, it
> > gives you the option to become root in a dialog box, and you can then
> > type the root password.
> > 
> >> I don't know whether creating a user with 100% admin privileges will
> >> still require a pass or not, I suspect it would still.  As if you add a
> >> user in the sudo group it is the user's pass that is asked.  So
> >> something is wrong on your specific installation.

Cheers,
David.