Web lists-archives.com

Re: Security hole in LXDE?




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, Mar 02, 2017 at 01:19:00PM +0100, Hans wrote:
> Hi Tomas
> > Hm. I'm not sure I've got that one right. Who has allowed the standard
> > user to execute applications with root rights? How?
> It was me, beeing haven asked by of the root password and (of course) gave the 
> correct one, I allowed the user, to start applications with root rights 

OK, to recap: you started synaptics (as regular user), and for the first time
you were asked a password. You gave the root (not the user's) password, and
from then on you could start synaptics as a regular user without having to
enter a password. Is that right?
 
> (besides, I am the user and root, as i is my personal computer)

Yes, I get that. That's (more or less) how most of us do things.

> > > I also found out, that the user is in group "sudo", but got no entry in
> > > /etc/ sudoers.
> > 
> > Again: who "got no entry in /etc/sudoers"? The user in question? Or the
> > group "sudo"?
> 
> It is the user, whom I allowed, to the above.

OK, let me summarize that:

 - there is a file /etc/sudoers
 - the "user" (let's call him "hans") has *no* entry in /etc/sudoers

Is that right?

That would be a typical setup (on my box it is exactly like that). The
group sudo is in the /etc/sudoers, and you give users sudo powers by
adding them to the sudo group. Typically things are set up in a way
that the user has still to enter *her* password. You can easily check
which groups a user is in with the "groups" command. In my box:

  tomas@rasputin:~$ groups tomas
  tomas : tomas cdrom floppy sudo audio dip video plugdev scanner netdev bluetooth kvm

With this setup (and supposed /etc/sudoers has this:

  # Allow members of group sudo to execute any command
  %sudo   ALL=(ALL:ALL) ALL

I can use sudo like so:

  tomas@rasputin:~$ sudo ls
  [sudo] password for tomas: 
  33c3              fr               letters [...]

Note that it asked me for a password. My password (not root). You can configure
/etc/sudoers to *not* ask for a password, to do it only for certain commands
and tons of other things (cf. man 5 sudoers). Sudo remembers whithin a session,
and for a limited time (default is 15 minutes) the password given, so next
command won't ask you, if you are quick enough. Can be changed in /etc/sudoers.

> > > Seems so. I'm still confused: I don't know whether the desktop environment
> > is the one granting you root privileges (I can't help with that; I don't
> > "do" desktop environments) or whether it is sudo (or whether it is the
> > DE based on the sudo settings).
> 
> No, no, the desktop just edits the settings, after a correct given root 
> password, to start the special applications with root right sin future times.

You mean: the desktop edits /etc/sudoers? I have had many reasons to kick
DEs out of my box many years ago, but this would be one reason more :-(

Are you sure?

> > The sudo part is pretty easy to find out (no clickety way, sorry). Try,
> > in a shell those two things:
> > 
> >   sudo ls
> > 
> 
> Gives the same als "ls".

Without being asked for *any* password? Sudo supports that (NOPASSWD), but
it's not the default.

OK. Then obviously you have sudoers running, (1) your user (hans) is allowed
sudo (most probably via its group) and (2) either you have a NOPASSWD policy,
or (3) the credentials are cached from a previous successful sudo. If you
opened your shell explicitly for this experiment, that would almost surely
rule out (3).

> >   sudo synaptic
> sudo synaptic
> sudo: Hostname protheus1 kann nicht aufgelöst werden
> No protocol specified
> Unable to init server: Verbindung ist gescheitert:Verbindungsaufbau abgelehnt
> 
> (synaptic:25373): Gtk-WARNING **: cannot open display: :0

That's funny, but hasn't to do with our current problem. Probably sudo, by
stripping the environment, has dropped some vital environment variable
(f. ex. http_proxy or something). Might be fixable by invoking "sudo -E",
but let's forget about that for now, to not get side-tracked.

> > What happens in each case? Do you get a password prompt? Is synaptic
> > started in user mode or in root mode?
> > 
> 
> No, as it is not root's environment, but the users one. However, su -p does 
> the trick.

Heh. So we reach the same conclusion.

> > > So, my question: How can I get this all back. A graphical solution is
> > > preferred, of course I knnow, I can edit /etc/groups and other things
> > > manually. But if there is a "clicky"-way, this will be preferred.
> > 
> > Be careful when editing /etc/groups. There are things for that like
> > adduser and addgroup. To remove your user from group sudo:
> > 
> >   sudo deluser <username> sudo
> > 
> > Whether that helps or not depends on all of the above, of course :-)
> > 
> > But **first of all** you've got to get clear on what you want:
> > 
> >   - shall the regular user not be able to call synaptic in
> >     "root mode" _at all_?
> > 
> 
> The user shall not be able to start any application of with root rights. 

Never? Then removing (hans) from the sudo group seems to be the most
"standard" way of achieving that.

> >   - yes, but only after entering root password?

> Exactly.

Now I'm confused. This contradicts the above. Perhaps you mean that the
user has to *login as root*. Sudo has the possibility to ask the root
password from the regular user instead of her own password (see the
rootpw, targetpw and runaspw flags in the sudoers(5) man page for all
the details).

> >   - yes, but only after entering her password?
> > 
> No, this is the actual situation.

Aha. But the user password is still necessary?

OK. Perhaps you just prefer the "classic" su behaviour and don't need
sudo at all (still: I'd recommend getting used to sudo. I don't embrace
every novelty, but this one was, after getting used, quite nice). But
hey, it's your toolbox :)

So just de-installing sudo might be an option for you (make sure your
package manager doesn't want to throw away half of your system -- I've
no idea what packages depend on sudo).

regards
- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAli4GlsACgkQBcgs9XrR2kZmuACfSAENI16jGZon0sraaHPYRUMJ
190AnAh6IRc1ZUkMiZLWzoqLIyWE1b1A
=y4yp
-----END PGP SIGNATURE-----