Re: Security hole in LXDE?

On Mon, Feb 27, 2017 at 09:00:15PM +1100, Davor Balder wrote: > Hi Hans, > > Question 1 which one: stable, testing or unstable? IMHO if it's not stated then stable is to be assumed. Users who run testing/sid are generally expected to have some degree of troubleshooting knowledge (the clue is in

Re: [SOLVED] Re: Security hole in LXDE?

On Tue 07 Mar 2017 at 09:05:03 +0100, to...@tuxteam.de wrote: > On Mon, Mar 06, 2017 at 08:53:39PM +, Brian wrote: > > [...] > > > I'll reconstruct my previous response. If there is no root password, > > (a bad idea, see my other post) > > > sudo is installed and the "first user" is put

Re: [SOLVED] Re: Security hole in LXDE?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, Mar 06, 2017 at 08:53:39PM +, Brian wrote: [...] > I'll reconstruct my previous response. If there is no root password, (a bad idea, see my other post) > sudo is installed and the "first user" is put into the sudo group. I've no proof

Re: [SOLVED] Re: Security hole in LXDE?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, Mar 06, 2017 at 08:58:25PM +, Joe wrote: [...] > A member of the sudo group has permanent root privileges. He might as > well simply login as root every day, and not bother with another user. Sorry, I've to disagree. It's a question of

Re: [SOLVED] Re: Security hole in LXDE?

On Mon, 6 Mar 2017 20:47:50 + (UTC) Curt wrote: > On 2017-03-06, Joe wrote: > > > > Who said anything about lpadmin? The question is about the wisdom of > > automatically including someone in the sudo group, which in a > > default Debian sudoers file,

Re: [SOLVED] Re: Security hole in LXDE?

On Mon 06 Mar 2017 at 19:57:25 +, Joe wrote: > On Mon, 6 Mar 2017 19:36:40 + > Brian wrote: > > > On Mon 06 Mar 2017 at 18:59:18 +, Joe wrote: > > > > > On Mon, 6 Mar 2017 13:40:45 -0500 > > > Greg Wooledge wrote: > > > > > > > On Mon,

Re: [SOLVED] Re: Security hole in LXDE?

On 2017-03-06, Joe wrote: > > Who said anything about lpadmin? The question is about the wisdom of > automatically including someone in the sudo group, which in a default > Debian sudoers file, gives full root privileges to everything, using the > user's password. > > We have

Re: [SOLVED] Re: Security hole in LXDE?

On Mon, 6 Mar 2017 19:36:40 + Brian wrote: > On Mon 06 Mar 2017 at 18:59:18 +, Joe wrote: > > > On Mon, 6 Mar 2017 13:40:45 -0500 > > Greg Wooledge wrote: > > > > > On Mon, Mar 06, 2017 at 06:31:46PM +, Joe wrote: > > > > Debian

Re: [SOLVED] Re: Security hole in LXDE?

Greg Wooledge: > On Mon, Mar 06, 2017 at 06:31:46PM +, Joe wrote: >> Debian appears to use the group 'sudo' as an administrative group, >> where some other distributions use 'wheel'. >> >> I would not have thought that users would be added to it by default, >> there are no members on my

Re: [SOLVED] Re: Security hole in LXDE?

On Mon 06 Mar 2017 at 18:59:18 +, Joe wrote: > On Mon, 6 Mar 2017 13:40:45 -0500 > Greg Wooledge wrote: > > > On Mon, Mar 06, 2017 at 06:31:46PM +, Joe wrote: > > > Debian appears to use the group 'sudo' as an administrative group, > > > where some other

Re: [SOLVED] Re: Security hole in LXDE?

On Mon, 6 Mar 2017 13:40:45 -0500 Greg Wooledge wrote: > On Mon, Mar 06, 2017 at 06:31:46PM +, Joe wrote: > > Debian appears to use the group 'sudo' as an administrative group, > > where some other distributions use 'wheel'. > > > > I would not have thought that users

Re: [SOLVED] Re: Security hole in LXDE?

On Mon, Mar 06, 2017 at 06:31:46PM +, Joe wrote: > Debian appears to use the group 'sudo' as an administrative group, > where some other distributions use 'wheel'. > > I would not have thought that users would be added to it by default, > there are no members on my sid/xfce4 workstation.

Re: [SOLVED] Re: Security hole in LXDE?

On Mon, 06 Mar 2017 18:28:25 +0100 Hans wrote: > Closing my first report. When I deleted the user from the group > "sudo", everything worked back as normal. > > Debian appears to use the group 'sudo' as an administrative group, where some other distributions use 'wheel'.

[SOLVED] Re: Security hole in LXDE?

Closing my first report. When I deleted the user from the group "sudo", everything worked back as normal. However, IMO the user must additionally be in /et/suders to get the described behaviour working. What is sure: Either KDE or LXDE gave me the opportunity (by using the root password),

Re: Security hole in LXDE?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, Mar 02, 2017 at 08:01:38AM -0600, David Wright wrote: [...] > If you're trying to clarify things, you have to tighten that up > considerably. Any regular user can start synaptics without a password, > as I already posted in this thread.

Re: Security hole in LXDE?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, Mar 02, 2017 at 02:32:19PM +0100, Hans wrote: [snip snip] OK, given your answers, the recommended path would be to remove your user (hans) from group sudo, perhaps so: deluser hans sudo (you've to be root for that, perhaps with -ahem-

Re: Security hole in LXDE?

On Thu 02 Mar 2017 at 14:12:59 (+0100), to...@tuxteam.de wrote: > On Thu, Mar 02, 2017 at 01:19:00PM +0100, Hans wrote: > > Hi Tomas > > > Hm. I'm not sure I've got that one right. Who has allowed the standard > > > user to execute applications with root rights? How? > > It was me, beeing haven

Re: Security hole in LXDE?

> OK, to recap: you started synaptics (as regular user), and for the first > time you were asked a password. You gave the root (not the user's) > password, and from then on you could start synaptics as a regular user > without having to enter a password. Is that right? > Correct. Howver, this is

Re: Security hole in LXDE?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, Mar 02, 2017 at 01:19:00PM +0100, Hans wrote: > Hi Tomas > > Hm. I'm not sure I've got that one right. Who has allowed the standard > > user to execute applications with root rights? How? > It was me, beeing haven asked by of the root password

Re: Security hole in LXDE?

Hi Tomas > Hm. I'm not sure I've got that one right. Who has allowed the standard > user to execute applications with root rights? How? It was me, beeing haven asked by of the root password and (of course) gave the correct one, I allowed the user, to start applications with root rights (besides,

Re: Security hole in LXDE?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, Mar 02, 2017 at 11:40:10AM +0100, Hans wrote: > Checked my system again. > It looks like have allowed the standard user to execute applications like > synaptic with root rights. I know, this is going to be asked in KDE, when you > start a

Re: Security hole in LXDE?

Checked my system again. It looks like have allowed the standard user to execute applications like synaptic with root rights. I know, this is going to be asked in KDE, when you start a higher privileged application as a normal user. You can then decide (as root), if the user is allowed to

Re: Security hole in LXDE?

On Tuesday 28 February 2017 17:45:57 David Wright wrote: > Both aptitude and synaptic can run by an ordinary user, and it's a > very safe way to run them when you don't yet fully understand their > abilities. To extend for the sake of pedantic ultra-clarity, and not to contradict: aptitude can

Re: Security hole in LXDE?

On Tue 28 Feb 2017 at 12:31:00 (+), GiaThnYgeia wrote: > As a user and as I understand it you should not be able to make > system-wide changes and many packages affect other parts of the system. > A user can install and run any package that does not affect the system, > as a stand alone. The

Re: Security hole in LXDE?

On Tue 28 Feb 2017 at 11:02:14 (+0100), Hans wrote: > I am not sure, if I some day allowed the normal user to start synaptic as a > normal user. Sometimes this option is offered at the first start. I wouldn't know how to _prevent_ and ordinary user from running synaptic by typing

Re: Security hole in LXDE?

As a user and as I understand it you should not be able to make system-wide changes and many packages affect other parts of the system. A user can install and run any package that does not affect the system, as a stand alone. The system is a whole must be maintained by the sysadmin for all users.

Re: Security hole in LXDE?

I am not sure, if I some day allowed the normal user to start synaptic as a normal user. Sometimes this option is offered at the first start. If I have done this (which I was at that moment wiling to do), where do I have to look, to make this thing back to normal? Please note, that I am not

Re: Security hole in LXDE?

On Mon 27 Feb 2017 at 11:13:00 (+), GiaThnYgeia wrote: > testingAmd64LXDE > > I have never, not once, been able to run synaptic in any similar system > without a root or a sudo password. Not to execute a command, just to > get the gui up you need a password. Why would that be? You should be

Re: Security hole in LXDE?

Hans: > Hi, > I am just clickingin LXDE menu on the icon to start, then a popup menu opens > and asks for my password (the user password NOT root) and I can install just But is that user a member in the sudo group? I had to use root till I added the user to the group > Best > > Hans >> >>

Re: Security hole in LXDE?

Den 2017-02-27 kl. 12:20, skrev Hans: If so, then why not working so in KDE? And if this is intended, then this is a bug and a security hole, which should be fixed. Hans A fresh vanilla install of testing with LXDE installs both sudo and gksu. Without configuring any, starting synaptic from

Re: Security hole in LXDE?

On Mon, 27 Feb 2017 12:20:50 +0100 Hans wrote: > > Check how synaptic is being started by the menu entry. Typically, > > synaptic will be started by /usr/bin/synaptic-pkexec, which uses > > policykit to authorise an effective su for a normal user. The > > executable

Re: Security hole in LXDE?

> Check how synaptic is being started by the menu entry. Typically, > synaptic will be started by /usr/bin/synaptic-pkexec, which uses > policykit to authorise an effective su for a normal user. The executable > synaptic is in /usr/sbin, so will probably not work from a menu. Yes, it is as you

Re: Security hole in LXDE?

testingAmd64LXDE I have never, not once, been able to run synaptic in any similar system without a root or a sudo password. Not to execute a command, just to get the gui up you need a password. I don't know whether creating a user with 100% admin privileges will still require a pass or not, I

Re: Security hole in LXDE?

On Mon, 27 Feb 2017 10:19:47 +0100 Hans wrote: > Hi folks, > > on my system /debian-amd64/testing) I can start Synaptic as a normal > user, just by using the user password. In KDE this is not possible, > there I need the root password. > > I do not have sudo in use. > >

Re: Security hole in LXDE?

Am Montag, 27. Februar 2017, 21:00:15 CET schrieb Davor Balder: > Hi Hans, > > Question 1 which one: stable, testing or unstable? testing/amd64 > > Generally (to aid in your investigation): > I did, but found nothing unusual. If no one can confirm this, it is a problem on my system! Hans

Re: Security hole in LXDE?

Hi, I am just clickingin LXDE menu on the icon to start, then a popup menu opens and asks for my password (the user password NOT root) and I can install just as I am root. Best Hans > > What, exactly, do you do to start synaptic? Click on something, or run a > command in a terminal? What

Re: Security hole in LXDE?

Hi Hans, Question 1 which one: stable, testing or unstable? Generally (to aid in your investigation): 1.) It may be a good idea just to recheck your sudo settings first (/etc/sudoers). (relevant uncommented setting on this system: ## ## User privilege specification ## root ALL=(ALL) ALL 2.)

Re: Security hole in LXDE?

On Mon, Feb 27, 2017 at 10:19:47AM +0100, Hans wrote: > Hi folks, > > on my system /debian-amd64/testing) I can start Synaptic as a normal user, > just by using the user password. In KDE this is not possible, there I need > the > root password. > > I do not have sudo in use. What, exactly,

Security hole in LXDE?

Hi folks, on my system /debian-amd64/testing) I can start Synaptic as a normal user, just by using the user password. In KDE this is not possible, there I need the root password. I do not have sudo in use. As I do not know, if this is a problem on my system (I have no second one to confirm