Web lists-archives.com

Re: Security hole in LXDE?




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, Mar 02, 2017 at 08:01:38AM -0600, David Wright wrote:

[...]

> If you're trying to clarify things, you have to tighten that up
> considerably. Any regular user can start synaptics without a password,
> as I already posted in this thread.

Yes. I was explicitly excluding DE authentication foo (like PolicyKit
and similar) -- first to explore the simpler sudo path and second,
because I'm definitely the wrong person to give advice related to
desktop environments. I know very little about them and... I don't
like them, to be honest.

> I can guess what you mean, and I don't think that is what happened.
> (What I _think_ you mean is that by using the root password in that
> situation on one occasion, the system has "remembered", and now you
> don't need the apssword any more. I don't think that happened. I think
> the OP configured something at an ealier time and has forgotten.)

I don't think either, and given Hans' last answer, it seems he has a
pretty standard sudo configuration, his user belonging to sudoers.
I don't remember whether that is Debian default or if you've to do
something explicitly to achieve that. I'd guess it's the latter, but
hey.

> I think I would lose the ability to configure wifi APs as a user
> if I lost sudo.

Perhaps. I don't know what PolicyKit is able to do -- the whole dance
around DBus would suggest that they want to have some communication
accross privilege domains, so it seems to be geared to that, but what
do I know.

> But I can't see that there's any point in removing sudo if you
> . add noone to group sudo
> . add nothing to /etc/sudoers.d/
> . add nothing to /etc/sudoers
> 
> Would I be right?

Yes. I described removing the package sudo as the more drastic
variant, only when you want to avoid at all costs that a user be
added to the sudo group (or, more precisely: this would then have
no effect).

> BTW one thing I don't understand about sudo is why
> /etc/sudoers.d/README is not world-readable.

Funny. README, but you can't :-)

Seems a fairly harmless mistake, perhaps a too literal interpretation
of "/etc/sudoers and all files under /etc/sudoers.d are sensitive".

Better than the other way around, though.

Regards
- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAli4gUgACgkQBcgs9XrR2kZw+ACcC+b5ll9T+W8cEYKbg2Eud9LD
WoYAn3W69gajGVIMO+Va5LbFZ3aT2wJ/
=ne0W
-----END PGP SIGNATURE-----