Web lists-archives.com

Re: Security hole in LXDE?




On Thu 02 Mar 2017 at 14:12:59 (+0100), tomas@xxxxxxxxxx wrote:
> On Thu, Mar 02, 2017 at 01:19:00PM +0100, Hans wrote:
> > Hi Tomas
> > > Hm. I'm not sure I've got that one right. Who has allowed the standard
> > > user to execute applications with root rights? How?
> > It was me, beeing haven asked by of the root password and (of course) gave the 
> > correct one, I allowed the user, to start applications with root rights 
> 
> OK, to recap: you started synaptics (as regular user), and for the first time
> you were asked a password. You gave the root (not the user's) password, and
> from then on you could start synaptics as a regular user without having to
> enter a password. Is that right?

If you're trying to clarify things, you have to tighten that up
considerably. Any regular user can start synaptics without a password,
as I already posted in this thread.

I can guess what you mean, and I don't think that is what happened.
(What I _think_ you mean is that by using the root password in that
situation on one occasion, the system has "remembered", and now you
don't need the apssword any more. I don't think that happened. I think
the OP configured something at an ealier time and has forgotten.)

> > (besides, I am the user and root, as i is my personal computer)
> 
> Yes, I get that. That's (more or less) how most of us do things.
> 
> > > > I also found out, that the user is in group "sudo", but got no entry in
> > > > /etc/ sudoers.
> > > 
> > > Again: who "got no entry in /etc/sudoers"? The user in question? Or the
> > > group "sudo"?
> > 
> > It is the user, whom I allowed, to the above.
> 
> OK, let me summarize that:
> 
>  - there is a file /etc/sudoers
>  - the "user" (let's call him "hans") has *no* entry in /etc/sudoers
> 
> Is that right?
> 
> That would be a typical setup (on my box it is exactly like that). The
> group sudo is in the /etc/sudoers, and you give users sudo powers by
> adding them to the sudo group. Typically things are set up in a way
> that the user has still to enter *her* password. You can easily check
> which groups a user is in with the "groups" command. In my box:
> 
>   tomas@rasputin:~$ groups tomas
>   tomas : tomas cdrom floppy sudo audio dip video plugdev scanner netdev bluetooth kvm
> 
> With this setup (and supposed /etc/sudoers has this:
> 
>   # Allow members of group sudo to execute any command
>   %sudo   ALL=(ALL:ALL) ALL
> 
> I can use sudo like so:
> 
>   tomas@rasputin:~$ sudo ls
>   [sudo] password for tomas: 
>   33c3              fr               letters [...]
> 
> Note that it asked me for a password. My password (not root). You can configure
> /etc/sudoers to *not* ask for a password, to do it only for certain commands
> and tons of other things (cf. man 5 sudoers). Sudo remembers whithin a session,
> and for a limited time (default is 15 minutes) the password given, so next
> command won't ask you, if you are quick enough. Can be changed in /etc/sudoers.
> 
> > > > Seems so. I'm still confused: I don't know whether the desktop environment
> > > is the one granting you root privileges (I can't help with that; I don't
> > > "do" desktop environments) or whether it is sudo (or whether it is the
> > > DE based on the sudo settings).
> > 
> > No, no, the desktop just edits the settings, after a correct given root 
> > password, to start the special applications with root right sin future times.
> 
> You mean: the desktop edits /etc/sudoers? I have had many reasons to kick
> DEs out of my box many years ago, but this would be one reason more :-(
> 
> Are you sure?
> 
> > > The sudo part is pretty easy to find out (no clickety way, sorry). Try,
> > > in a shell those two things:
> > > 
> > >   sudo ls
> > > 
> > 
> > Gives the same als "ls".
> 
> Without being asked for *any* password? Sudo supports that (NOPASSWD), but
> it's not the default.
> 
> OK. Then obviously you have sudoers running, (1) your user (hans) is allowed
> sudo (most probably via its group) and (2) either you have a NOPASSWD policy,
> or (3) the credentials are cached from a previous successful sudo. If you
> opened your shell explicitly for this experiment, that would almost surely
> rule out (3).
> 
> > >   sudo synaptic
> > sudo synaptic
> > sudo: Hostname protheus1 kann nicht aufgelöst werden
> > No protocol specified
> > Unable to init server: Verbindung ist gescheitert:Verbindungsaufbau abgelehnt
> > 
> > (synaptic:25373): Gtk-WARNING **: cannot open display: :0
> 
> That's funny, but hasn't to do with our current problem. Probably sudo, by
> stripping the environment, has dropped some vital environment variable
> (f. ex. http_proxy or something). Might be fixable by invoking "sudo -E",
> but let's forget about that for now, to not get side-tracked.
> 
> > > What happens in each case? Do you get a password prompt? Is synaptic
> > > started in user mode or in root mode?
> > > 
> > 
> > No, as it is not root's environment, but the users one. However, su -p does 
> > the trick.
> 
> Heh. So we reach the same conclusion.
> 
> > > > So, my question: How can I get this all back. A graphical solution is
> > > > preferred, of course I knnow, I can edit /etc/groups and other things
> > > > manually. But if there is a "clicky"-way, this will be preferred.
> > > 
> > > Be careful when editing /etc/groups. There are things for that like
> > > adduser and addgroup. To remove your user from group sudo:
> > > 
> > >   sudo deluser <username> sudo
> > > 
> > > Whether that helps or not depends on all of the above, of course :-)
> > > 
> > > But **first of all** you've got to get clear on what you want:
> > > 
> > >   - shall the regular user not be able to call synaptic in
> > >     "root mode" _at all_?
> > > 
> > 
> > The user shall not be able to start any application of with root rights. 
> 
> Never? Then removing (hans) from the sudo group seems to be the most
> "standard" way of achieving that.

Yes, that would be reverting to the default state, ie sudo:x:27:
in /etc/group.

> > >   - yes, but only after entering root password?
> 
> > Exactly.
> 
> Now I'm confused. This contradicts the above. Perhaps you mean that the
> user has to *login as root*. Sudo has the possibility to ask the root
> password from the regular user instead of her own password (see the
> rootpw, targetpw and runaspw flags in the sudoers(5) man page for all
> the details).
> 
> > >   - yes, but only after entering her password?
> > > 
> > No, this is the actual situation.
> 
> Aha. But the user password is still necessary?
> 
> OK. Perhaps you just prefer the "classic" su behaviour and don't need
> sudo at all (still: I'd recommend getting used to sudo. I don't embrace
> every novelty, but this one was, after getting used, quite nice). But
> hey, it's your toolbox :)
> 
> So just de-installing sudo might be an option for you (make sure your
> package manager doesn't want to throw away half of your system -- I've
> no idea what packages depend on sudo).

I think I would lose the ability to configure wifi APs as a user
if I lost sudo.

But I can't see that there's any point in removing sudo if you
. add noone to group sudo
. add nothing to /etc/sudoers.d/
. add nothing to /etc/sudoers

Would I be right?

BTW one thing I don't understand about sudo is why
/etc/sudoers.d/README is not world-readable.

Cheers,
David.