Re: Security hole in LXDE?
- Date: Thu, 2 Mar 2017 21:32:08 +0100
- From: <tomas@xxxxxxxxxx>
- Subject: Re: Security hole in LXDE?
-----BEGIN PGP SIGNED MESSAGE-----
On Thu, Mar 02, 2017 at 08:01:38AM -0600, David Wright wrote:
> If you're trying to clarify things, you have to tighten that up
> considerably. Any regular user can start synaptics without a password,
> as I already posted in this thread.
Yes. I was explicitly excluding DE authentication foo (like PolicyKit
and similar) -- first to explore the simpler sudo path and second,
because I'm definitely the wrong person to give advice related to
desktop environments. I know very little about them and... I don't
like them, to be honest.
> I can guess what you mean, and I don't think that is what happened.
> (What I _think_ you mean is that by using the root password in that
> situation on one occasion, the system has "remembered", and now you
> don't need the apssword any more. I don't think that happened. I think
> the OP configured something at an ealier time and has forgotten.)
I don't think either, and given Hans' last answer, it seems he has a
pretty standard sudo configuration, his user belonging to sudoers.
I don't remember whether that is Debian default or if you've to do
something explicitly to achieve that. I'd guess it's the latter, but
> I think I would lose the ability to configure wifi APs as a user
> if I lost sudo.
Perhaps. I don't know what PolicyKit is able to do -- the whole dance
around DBus would suggest that they want to have some communication
accross privilege domains, so it seems to be geared to that, but what
do I know.
> But I can't see that there's any point in removing sudo if you
> . add noone to group sudo
> . add nothing to /etc/sudoers.d/
> . add nothing to /etc/sudoers
> Would I be right?
Yes. I described removing the package sudo as the more drastic
variant, only when you want to avoid at all costs that a user be
added to the sudo group (or, more precisely: this would then have
> BTW one thing I don't understand about sudo is why
> /etc/sudoers.d/README is not world-readable.
Funny. README, but you can't :-)
Seems a fairly harmless mistake, perhaps a too literal interpretation
of "/etc/sudoers and all files under /etc/sudoers.d are sensitive".
Better than the other way around, though.
- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----