Web lists-archives.com

Re: Security hole in LXDE?




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, Mar 02, 2017 at 11:40:10AM +0100, Hans wrote:
> Checked my system again. 
> It looks like have allowed the standard user to execute applications like 
> synaptic with root rights. I know, this is going to be asked in KDE, when you 
> start  a higher privileged application as a normal user. You can then decide 
> (as root), if the user is allowed to start this application as normal user in 
> the future.

Hm. I'm not sure I've got that one right. Who has allowed the standard
user to execute applications with root rights? How?

> I also found out, that the user is in group "sudo", but got no entry in /etc/
> sudoers.

Again: who "got no entry in /etc/sudoers"? The user in question? Or the
group "sudo"?

> Also, synaptic starts as synaptic-psexec, what means, that when it is startd 
> this way, it is started with root rights.

Seems so. I'm still confused: I don't know whether the desktop environment
is the one granting you root privileges (I can't help with that; I don't
"do" desktop environments) or whether it is sudo (or whether it is the
DE based on the sudo settings).

The sudo part is pretty easy to find out (no clickety way, sorry). Try,
in a shell those two things:

  sudo ls

  sudo synaptic

What happens in each case? Do you get a password prompt? Is synaptic
started in user mode or in root mode?

> So, my question: How can I get this all back. A graphical solution is 
> preferred, of course I knnow, I can edit /etc/groups and other things 
> manually. But if there is a "clicky"-way, this will be preferred.

Be careful when editing /etc/groups. There are things for that like
adduser and addgroup. To remove your user from group sudo:

  sudo deluser <username> sudo

Whether that helps or not depends on all of the above, of course :-)

But **first of all** you've got to get clear on what you want:

  - shall the regular user not be able to call synaptic in
    "root mode" _at all_?

  - yes, but only after entering root password?

  - yes, but only after entering her password?

regards
- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAli4AsoACgkQBcgs9XrR2kahgwCfeciMgHKYB6jdF+5ab4K89Mzi
n/0AnjZupEhg+FAvDhnhS4cuyQJCdYSR
=qx8V
-----END PGP SIGNATURE-----