Web lists-archives.com

Re: Security hole in LXDE?




Hi Tomas
> Hm. I'm not sure I've got that one right. Who has allowed the standard
> user to execute applications with root rights? How?
It was me, beeing haven asked by of the root password and (of course) gave the 
correct one, I allowed the user, to start applications with root rights 
(besides, I am the user and root, as i is my personal computer)
> 
> > I also found out, that the user is in group "sudo", but got no entry in
> > /etc/ sudoers.
> 
> Again: who "got no entry in /etc/sudoers"? The user in question? Or the
> group "sudo"?

It is the user, whom I allowed, to the above.

> > Seems so. I'm still confused: I don't know whether the desktop environment
> is the one granting you root privileges (I can't help with that; I don't
> "do" desktop environments) or whether it is sudo (or whether it is the
> DE based on the sudo settings).

No, no, the desktop just edits the settings, after a correct given root 
password, to start the special applications with root right sin future times.
> 
> The sudo part is pretty easy to find out (no clickety way, sorry). Try,
> in a shell those two things:
> 
>   sudo ls
> 

Gives the same als "ls".

>   sudo synaptic
sudo synaptic
sudo: Hostname protheus1 kann nicht aufgelöst werden
No protocol specified
Unable to init server: Verbindung ist gescheitert:Verbindungsaufbau abgelehnt

(synaptic:25373): Gtk-WARNING **: cannot open display: :0


> 
> What happens in each case? Do you get a password prompt? Is synaptic
> started in user mode or in root mode?
> 

No, as it is not root's environment, but the users one. However, su -p does 
the trick.
> > So, my question: How can I get this all back. A graphical solution is
> > preferred, of course I knnow, I can edit /etc/groups and other things
> > manually. But if there is a "clicky"-way, this will be preferred.
> 
> Be careful when editing /etc/groups. There are things for that like
> adduser and addgroup. To remove your user from group sudo:
> 
>   sudo deluser <username> sudo
> 
> Whether that helps or not depends on all of the above, of course :-)
> 
> But **first of all** you've got to get clear on what you want:
> 
>   - shall the regular user not be able to call synaptic in
>     "root mode" _at all_?
> 

The user shall not be able to start any application of with root rights. 
>   - yes, but only after entering root password?
> 
Exactly.
>   - yes, but only after entering her password?
> 
No, this is the actual situation.

> regards
> -- tomás

Best

Hans