Re: Security hole in LXDE?
- Date: Thu, 02 Mar 2017 14:32:19 +0100
- From: Hans <hans.ullrich@xxxxxxx>
- Subject: Re: Security hole in LXDE?
> OK, to recap: you started synaptics (as regular user), and for the first
> time you were asked a password. You gave the root (not the user's)
> password, and from then on you could start synaptics as a regular user
> without having to enter a password. Is that right?
Correct. Howver, this is an implemented option, to allow normal users to start
applications with root rights. Note: Root has to allow this!
> - there is a file /etc/sudoers
> - the "user" (let's call him "hans") has *no* entry in /etc/sudoers
> Is that right?
Correct. The user "hans" has no entry in /etc/sudoers. Note, that the user
hans is in group "sudo".
hans lp uucp dialout cdrom floppy sudo audio dip video plugdev games users
powerdev debian-tor netdev scanner wireshark kismet
> That would be a typical setup (on my box it is exactly like that). The
> group sudo is in the /etc/sudoers, and you give users sudo powers by
> adding them to the sudo group. Typically things are set up in a way
> that the user has still to enter *her* password. You can easily check
> which groups a user is in with the "groups" command. In my box:
> tomas@rasputin:~$ groups tomas
> tomas : tomas cdrom floppy sudo audio dip video plugdev scanner netdev
> bluetooth kvm
> With this setup (and supposed /etc/sudoers has this:
> # Allow members of group sudo to execute any command
> %sudo ALL=(ALL:ALL) ALL
> I can use sudo like so:
> tomas@rasputin:~$ sudo ls
> [sudo] password for tomas:
> 33c3 fr letters [...]
> Note that it asked me for a password. My password (not root). You can
> configure /etc/sudoers to *not* ask for a password, to do it only for
> certain commands and tons of other things (cf. man 5 sudoers). Sudo
> remembers whithin a session, and for a limited time (default is 15 minutes)
> the password given, so next command won't ask you, if you are quick enough.
> Can be changed in /etc/sudoers.
Just take a look at my sudoers (it is not secret)
---- snip ----
# This file MUST be edited with the 'visudo' command as root.
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
# See the man page for details on how to write a sudoers file.
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
> You mean: the desktop edits /etc/sudoers? I have had many reasons to kick
> DEs out of my box many years ago, but this would be one reason more :-(
> Are you sure?
Dunno. I mean more, the desdktop is changing settings.
> it's not the default.
> OK. Then obviously you have sudoers running, (1) your user (hans) is allowed
> sudo (most probably via its group) and (2) either you have a NOPASSWD
> policy, or (3) the credentials are cached from a previous successful sudo.
> If you opened your shell explicitly for this experiment, that would almost
> surely rule out (3).
> That's funny, but hasn't to do with our current problem. Probably sudo, by
> stripping the environment, has dropped some vital environment variable
> (f. ex. http_proxy or something). Might be fixable by invoking "sudo -E",
> but let's forget about that for now, to not get side-tracked.
> Heh. So we reach the same conclusion.
> Never? Then removing (hans) from the sudo group seems to be the most
> "standard" way of achieving that.
> Now I'm confused. This contradicts the above. Perhaps you mean that the
> user has to *login as root*. Sudo has the possibility to ask the root
> password from the regular user instead of her own password (see the
> rootpw, targetpw and runaspw flags in the sudoers(5) man page for all
> the details).
> Aha. But the user password is still necessary?
That is correct. The user has to enter his own password.
> OK. Perhaps you just prefer the "classic" su behaviour and don't need
> sudo at all (still: I'd recommend getting used to sudo. I don't embrace
> every novelty, but this one was, after getting used, quite nice). But
> hey, it's your toolbox :)
> So just de-installing sudo might be an option for you (make sure your
> package manager doesn't want to throw away half of your system -- I've
> no idea what packages depend on sudo).
> -- tomás