Re: root password
Steven Stern wrote: I keep meaning to edit the sudo config files to block things like sudo su - sudo bash but I get lazy. Someday, this will bite me in the ***. Note for anyone considering this: it’s virtually impossible to make this watertight, because there are too many ways for someone to get around it. For example, what happens if someone creates a bash script and then runs it with sudo? Can people make sudo-run programs overwrite a program that they can then run with sudo, or a program that root will run normally? Can programs on the list be persuaded to run an editor or a shell? You really need to start with a very short whitelist, and add to it as required. James. -- E-mail: james@ | It is a mistake to allow any mechanical object to realise aprilcottage.co.uk | that you are in a hurry. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: root password
On 02/08/2012 02:49 PM, James Wilkinson wrote: Steven Stern wrote: I keep meaning to edit the sudo config files to block things like sudo su - sudo bash but I get lazy. Someday, this will bite me in the ***. Note for anyone considering this: itâs virtually impossible to make this watertight, because there are too many ways for someone to get around it. For example, what happens if someone creates a bash script and then runs it with sudo? Can people make sudo-run programs overwrite a program that they can then run with sudo, or a program that root will run normally? Can programs on the list be persuaded to run an editor or a shell? You really need to start with a very short whitelist, and add to it as required. James. Exactly. Don't give anyone sudo you wouldn't trust with root, yourself included. -- -- Steve -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: root password
On Mon, 2012-02-06 at 22:28 -0600, Steven Stern wrote: The right way is to boot into single user mode. These will also work if your account has sudo access sudo su - or sudo /etc/shadow and remove the root password, then login as root and reset the password or sudo passwd root Seems like you're all (the different solutions offered by various people) doing much more than you need to. If you do manage to boot into the single user mode, you will typing in a terminal as the root user. All you have to do, next, is use the passwd command by itself, and enter a new password. There's no need to su or sudo, nor edit any files where passwords are stored. -- [tim@localhost ~]$ uname -r 2.6.27.25-78.2.56.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: root password
On 02/07/2012 04:01 AM, Tim wrote: On Mon, 2012-02-06 at 22:28 -0600, Steven Stern wrote: The right way is to boot into single user mode. These will also work if your account has sudo access sudo su - or sudo /etc/shadow and remove the root password, then login as root and reset the password or sudo passwd root Seems like you're all (the different solutions offered by various people) doing much more than you need to. If you do manage to boot into the single user mode, you will typing in a terminal as the root user. All you have to do, next, is use the passwd command by itself, and enter a new password. There's no need to su or sudo, nor edit any files where passwords are stored. Sometimes, one is not able to reboot. -- -- Steve -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: root password
Am 07.02.2012 15:04, schrieb Steven Stern: Seems like you're all (the different solutions offered by various people) doing much more than you need to. If you do manage to boot into the single user mode, you will typing in a terminal as the root user. All you have to do, next, is use the passwd command by itself, and enter a new password. There's no need to su or sudo, nor edit any files where passwords are stored. Sometimes, one is not able to reboot. in which cases if he owns the machine? if he does not own it has reasons he has not the option but in this case he is also not permittet to change root-pwd if you can not reboot because you forgot your root password and need it for reboot in your configuration type sync and make a hard reboot or do not forget your password signature.asc Description: OpenPGP digital signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: root password
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/07/2012 04:01 AM, Tim wrote: On Mon, 2012-02-06 at 22:28 -0600, Steven Stern wrote: Seems like you're all (the different solutions offered by various people) doing much more than you need to. If you do manage to boot into the single user mode, you will typing in a terminal as the root user. All you have to do, next, is use the passwd command by itself, and enter a new password. There's no need to su or sudo, nor edit any files where passwords are stored. One other small point - if you do edit the password files, you should use vipw. If you do not like using vi as an editor, you can specify the editor to use by setting $VISUAL or $EDITOR... Mikkel - -- Do not meddle in the affairs of dragons, for thou art crunchy and taste good with Ketchup! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk8xMcwACgkQqbQrVW3JyMR/ZwCfRlOzwQoWWIXy2Ym5R/1wvgV3 TaYAnivPcR5d2YeYihCg4ux/4gSM0oa0 =2Ycd -END PGP SIGNATURE- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: root password
On 02/07/2012 02:01 AM, Tim wrote: There's no need to su or sudo, nor edit any files where passwords are stored. The point is that the sudo trick will work (assuming that you have it set up) without booting into recovery mode. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: root password
On 02/07/2012 01:01 PM, Joe Zeff wrote: On 02/07/2012 02:01 AM, Tim wrote: There's no need to su or sudo, nor edit any files where passwords are stored. The point is that the sudo trick will work (assuming that you have it set up) without booting into recovery mode. I keep meaning to edit the sudo config files to block things like sudo su - sudo bash but I get lazy. Someday, this will bite me in the ***. -- -- Steve -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: root password
On 02/07/2012 02:08 PM, Steven Stern wrote: I keep meaning to edit the sudo config files to block things like sudo su - sudo bash but I get lazy. Someday, this will bite me in the ***. There's a much better, easier way to prevent that: don't activate sudo unless there are people using your box that need to do specific admin tasks but don't have the root password. And, if you do give them sudo access, limit it to the commands they actually need to be using because if you don't, giving them sudo access is exactly the same as giving out the root password. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: root password
On Tue, Feb 7, 2012 at 10:13 AM, Amit Rp amitr...@gmail.com wrote: I forgot the root password. Please advise whether there is any possibility of retrieving it? go into single user mode and when you are dropped into the prompt, you can change the root password. see: https://docs.fedoraproject.org/en-US/Fedora/13/html/Installation_Guide/s1-rescuemode-booting-single.html Harish -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: root password
On Tue, Feb 07, 2012 at 07:43:37 +0530, Amit Rp amitr...@gmail.com wrote: I forgot the root password. Please advise whether there is any possibility of retrieving it? It's normally easier to boot into single user mode and change it to something new than to try to recover it. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: root password
On Mon, Feb 6, 2012 at 9:14 PM, Bruno Wolff III br...@wolff.to wrote: On Tue, Feb 07, 2012 at 07:43:37 +0530, Amit Rp amitr...@gmail.com wrote: I forgot the root password. Please advise whether there is any possibility of retrieving it? It's normally easier to boot into single user mode and change it to something new than to try to recover it. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org 100%. Yet another way is to boot off of a CD or USB stick and manually edit the /etc/shadow file in the root partition - but that is more cumbersome. Boris. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: root password
On 02/06/2012 08:13 PM, Amit Rp wrote: I forgot the root password. Please advise whether there is any possibility of retrieving it? The right way is to boot into single user mode. These will also work if your account has sudo access sudo su - or sudo /etc/shadow and remove the root password, then login as root and reset the password or sudo passwd root -- -- Steve -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: root password
On 02/06/2012 06:47 PM, Boris Epstein wrote: On Mon, Feb 6, 2012 at 9:14 PM, Bruno Wolff III br...@wolff.to mailto:br...@wolff.to wrote: On Tue, Feb 07, 2012 at 07:43:37 +0530, Amit Rp amitr...@gmail.com mailto:amitr...@gmail.com wrote: I forgot the root password. Please advise whether there is any possibility of retrieving it? It's normally easier to boot into single user mode and change it to something new than to try to recover it. -- users mailing list users@lists.fedoraproject.org mailto:users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org 100%. Yet another way is to boot off of a CD or USB stick and manually edit the /etc/shadow file in the root partition - but that is more cumbersome. Protip: If you're booting a cd or stick, no need to manually edit the target system's /etc/shadow. When you mount the system's / partition, chroot there, then just run passwd. And honestly, chroot(1) is perfect for working on systems under different filesystem hierarchies. For example, I use it to update ltsp's nfs root on occasion: # # on the nfs server: # setarch i686 chroot /opt/ltsp/i386 /bin/bash Fun, no? :) -Scott p.s. for even more fun, try wrapping your head around pivot_root(8)... :) -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: root password prompts
Patrick O'Callaghan wrote: On Wed, 2010-05-26 at 14:48 -0500, Mike McCarty wrote: AFAIK this is a function of 'sudo'. It asks you the first time and remembers for a few minutes after. I've never seen this behaviour other than with sudo. Umm, perhaps you mean su. The sudo command does not prompt for the root password. No, I mean sudo. In the default config it prompts for the user's password. But the OP asked about root password, not the user's password. It doesn't remember the password. It makes an entry in a log with the epoch. When next invoked, sudo checks the latest entry, and if less than a certain amount of time has elapsed, simply goes on. If more than the time limit has elapsed, then it prompts, and makes a new entry. IOW it remembers it by logging it. How else would it do it except by recording it in a file? I'm not interested in argumentation. It does not remember passwords, period. Mike -- p=p=%c%s%c;main(){printf(p,34,p,34);};main(){printf(p,34,p,34);} Oppose globalization and One World Governments like the UN. This message made from 100% recycled bits. You have found the bank of Larn. I speak only for myself, and I am unanimous in that! -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: root password prompts
On 05/27/2010 11:47 AM, Mike McCarty wrote: Patrick O'Callaghan wrote: IOW it remembers it by logging it. How else would it do it except by recording it in a file? I'm not interested in argumentation. It does not remember passwords, period. I am not sure how you can declare that when it is obvious the functionality is there. Perhaps the argument here is about semantics. Rahul -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: root password prompts
Rahul Sundaram wrote: On 05/27/2010 11:47 AM, Mike McCarty wrote: Patrick O'Callaghan wrote: IOW it remembers it by logging it. How else would it do it except by recording it in a file? I'm not interested in argumentation. It does not remember passwords, period. I am not sure how you can declare that when it is obvious the functionality is there. Perhaps the argument here is about semantics. All programs which prompt for, and receive, passwords in clear text form go to extra lengths to make sure that they do NOT remember passwords in any form. They overwrite the input buffers used, for example. Any program which receives passwords in clear text and doesn't make sure not to remember the passwords should have its metaphorical wrist slapped, since it creates a potential security breach. The fellow I responded to is contributing to a thread which concerns precise differences between how different tools handle security. He already wrote one inaccurate statement, from which I infer that he is not writing very clearly, and possibly not thinking very clearly, about what takes place when these programs run, to wit, implying that sudo prompts for root's password, which it does not. When I tried to read behind what he wrote, which was obviously inaccurate, and supposed that he meant su, he corrected me, reinforcing my belief that he was not giving due consideration to what he is writing. As a consequence, since I've already been corrected when trying, inaccurately, to figure a way for his statements to make sense, I no longer intend to do so. I believe he means what he writes, but he isn't thinking clearly about what he writes. So, if it's inaccurate, it's inaccurate, and I'm not going to try to guess as what he might have meant, which might have been correct, but was not what he wrote. That is, if it makes a difference to the thread. I'm not interested in egoes, or posturing, or whatever. I just want to help someone who knows less about how these security programs work to understand better. That won't happen when inaccurate and unclear or ambiguous statments are being made. I am not going to argue about anything. If he can show me where in the source sudo remembers passwords I'll recant. If he can't do that, then he should simply admit that he misspoke, and be a little more careful. I'm not trying to save my ego, either, nor prove that I, or anyone else, is right or wrong. I just don't want to see inaccurate information spread, like sudo remembers passwords when it goes to some length to make sure that it does not. Mike -- p=p=%c%s%c;main(){printf(p,34,p,34);};main(){printf(p,34,p,34);} Oppose globalization and One World Governments like the UN. This message made from 100% recycled bits. You have found the bank of Larn. I speak only for myself, and I am unanimous in that! -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: root password prompts
On 05/27/2010 12:09 AM, Tom Horsley wrote: I have seen claims on this list that the root password is remembered for a small amount of time so you don't keep getting asked. That has never worked for me, but I assumed it was just because I was running a non-standard session and was missing something. Consolehelper and PolicyKit agent on specific instances does this. You will see a key icon on your system tray that can you click to make it forget immediately. Rahul -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: root password prompts
Rahul Sundaram wrote: I'd appreciate it if you wouldn't CC me. On 05/27/2010 12:57 PM, Mike McCarty wrote: All programs which prompt for, and receive, passwords in clear text form go to extra lengths to make sure that they do NOT remember passwords in any form Mike, Refer to the notes on password caching at http://www.wlug.org.nz/SudoHowto The default is 5 minutes of caching. I'm aware of that information. Well, it seems that I was not clear enough in my statement. At the risk of being taken for rude, I'll expound on what the misconception being promulgated here is. I'm not trying to be argumentative, but what's been written here is just wrong, especially since programs like this go to some lengths not to remember passwords. We even go to the length of not making it easy to find encrypted passwords, let alone passwords in clear text, by using shadow. The sudo program does not remember passwords. It remembers epochs when passwords were properly entered. That's what I said in my earlier messages. This makes the third time, I believe. I can say that, because it is the truth. (almost) So, just to be clear, let me be clear, and hopefully not argumentative. Sudo does not cache, or store, passwords. It stores the information that a password was correctly entered and when and for whom. (See below for a clarification on this point.) It does not store or remember the password in any form, AFAIK, and if it sometimes accidentally does, it needs to be changed. An epoch, and a user name, are not a password. Storing an epoch, and a user name, is not storing or remembering a password. Here's how sudo remembers that information. It's not stored in a file, as one supposed it must be; it's stored in multiple nested directory entries. $ whoami jmccarty $ ps PID TTY TIME CMD 9239 pts/36 00:00:00 bash 11378 pts/36 00:00:00 ps $ sudo ls -l /var/run/sudo total 20 drwx-- 2 root root 4096 Oct 22 2007 bird drwx-- 2 root root 4096 May 27 02:53 jmccarty drwx-- 2 root root 4096 Aug 27 2008 lfs -rw--- 1 root root 64 Oct 21 2004 _pam_timestamp_key drwx-- 2 root root 4096 Jun 2 2009 root $ sudo ls -l /var/run/sudo/jmccarty total 8 -rw--- 1 root root 0 May 14 12:47 13 -rw--- 1 root root 0 Apr 23 03:23 18 -rw--- 1 root root 0 May 21 16:03 24 -rw--- 1 root root 0 May 26 15:07 33 -rw--- 1 root root 0 May 27 02:55 36 -rw--- 1 root root 0 May 26 15:16 37 Note carefully that the files are ZERO length; these contain no information, only the directory entry is significant, AFAIK. I have, on occasion, seen files which have some information in them, though I do not know what it may be. I should have the source for sudo somewhere, and could go read it to find out. I haven't taken the time so far to investigate that. The file name is the pts from which sudo was run. I just ran sudo, so an entry was made for me, at the time I ran sudo, and indicating that I ran it from pts/36. Nowhere does sudo store or remember a password, period. It stores the information that a password was entered properly, and when, and by whom. Well, not quite, because it really stores the last time it successfully ran on a given pts. A password may not have been entered, since a password entry is not required during the cache period. The entry will be updated, however, extending the cache period. Also, a password is not required for some users, root for example. These users do not, AFAIK, get entries when they run sudo. At least, I've not seen it. The sudo command provides a way to extend the cache period, without entering some useless command, by means of $ sudo -v which simply validates that one is a valid sudoer, and updates the cache entry. Using $ sudo -k sets the entry to the current epoch, so that the next use will require the entry of a password (if the user is required to enter one). $ sudo -K removes the entry altogether. I hope that is clear, and unambiguous, and not rude or argumentative. Somehow it seems simpler just to say sudo does not 'remember' passwords, instead of having to write a tutorial, and I wish that it were possible to do that without getting people challenge that fact before taking any time of their own to investigate how the program works. Mike -- p=p=%c%s%c;main(){printf(p,34,p,34);};main(){printf(p,34,p,34);} Oppose globalization and One World Governments like the UN. This message made from 100% recycled bits. You have found the bank of Larn. I speak only for myself, and I am unanimous in that! -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: root password prompts
On 05/27/2010 02:42 PM, Mike McCarty wrote: I'm aware of that information. Well, it seems that I was not clear enough in my statement. There is no lack of clarity. When people refer to sudo remembering passwords, they are certainly referring to the functionality and not the implementation details (which most people don't know and dont want to know). While you might argue that the terminology is incorrect and you are technically right, I don't see much of a gain in being nit picky about it. If you think you can expoud on the implementation details and get everyone to use a different terminology, I am afraid you are going to end up being very frustrated. The boat has sailed on that long back. Rahul -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: root password prompts
Mike McCarty wrote: [...] $ sudo ls -l /var/run/sudo/jmccarty total 8 -rw--- 1 root root 0 May 14 12:47 13 -rw--- 1 root root 0 Apr 23 03:23 18 -rw--- 1 root root 0 May 21 16:03 24 -rw--- 1 root root 0 May 26 15:07 33 -rw--- 1 root root 0 May 27 02:55 36 -rw--- 1 root root 0 May 26 15:16 37 Note carefully that the files are ZERO length; these contain no information, only the directory entry is significant, AFAIK. I have, on occasion, seen files One slight clarification: The epoch the file timestamp is set to is that of when sudo is run. When one uses $ sudo -k the timestamp is set to an epoch in the past. For example from another (su to root) terminal I now see # ls -l /var/run/sudo/jmccarty total 8 -rw--- 1 root root 0 May 14 12:47 13 -rw--- 1 root root 0 Apr 23 03:23 18 -rw--- 1 root root 0 May 21 16:03 24 -rw--- 1 root root 0 May 27 03:15 33 -rw--- 1 root root 55 May 25 16:47 34:root -rw--- 1 root root 0 Dec 31 1969 36 -rw--- 1 root root 0 May 26 15:16 37 -rw--- 1 root root 60 May 25 13:12 unknown:root Interestingly, I now see entries with some data in them. I've wondered whether those entries might not be from something like that. $ sudo dumphex /var/run/sudo/jmccarty/34:root Password: 2F 76 61 72 2F 72 75 6E 2F 73 75 64 6F 2F 6A 6D |/var/run/sudo/jm| 0010 63 63 61 72 74 79 2F 33 34 3A 72 6F 6F 74 00 73 |ccarty/34:root.s| 0020 45 FC 4B C0 23 47 DC EA 6A C5 6E 44 D8 85 2A 44 |E.K.#G..j.nD..*D| 0030 18 C3 20 0D EC 74 9E |.. ..t.| I don't know what that information may represent, but I suspect it's the entries that su makes to track its information. Mike -- p=p=%c%s%c;main(){printf(p,34,p,34);};main(){printf(p,34,p,34);} Oppose globalization and One World Governments like the UN. This message made from 100% recycled bits. You have found the bank of Larn. I speak only for myself, and I am unanimous in that! -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: root password prompts
On Thu, May 27, 2010 at 5:19 AM, Rahul Sundaram methe...@gmail.com wrote: On 05/27/2010 02:42 PM, Mike McCarty wrote: I'm aware of that information. Well, it seems that I was not clear enough in my statement. There is no lack of clarity. When people refer to sudo remembering passwords, they are certainly referring to the functionality and not the implementation details (which most people don't know and dont want to know). While you might argue that the terminology is incorrect and you are technically right, I don't see much of a gain in being nit picky about it. If you think you can expoud on the implementation details and get everyone to use a different terminology, I am afraid you are going to end up being very frustrated. The boat has sailed on that long back. Rahul I disagree. Nit picking details in this industry is essential for progress and understanding. Defending flawed terminology that imply security holes when they don't exist is foolish. I would like to thank Mike for his explanations, I for one have learnt something today. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: root password prompts
On 05/27/2010 03:30 PM, Andrew Parker wrote: I disagree. Nit picking details in this industry is essential for progress and understanding. Defending flawed terminology that imply security holes when they don't exist is foolish. I would like to thank Mike for his explanations, I for one have learnt something today. I wasn't defending flawed terminology. I was just saying, just like the word hacker or so many other things that are widely popular and misattributed, it is pretty much a lost battle. Good luck trying if you are so inclined to do so. Rahul -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: root password prompts
On Wed, 2010-05-26 at 14:39 -0400, Tom Horsley wrote: Today I was running system-config-printer to install all the various printers around here at work on a freshly installed fedora 13 system running as a brand new user in a standard gnome session. As with other PolicyKit-enabled applications, you can configure the amount of password dialogs you need to see. You can reduce this to 'none at all' if you like. For an example configuration which removes the need to see any CUPS-related password dialogs when configuring the local machine, see this short description I wrote: https://fedoraproject.org/wiki/Printing/ConfigurationTool#PolicyKit_configuration That configuration file applies to actions matching org.opensuse.cupspkhelper.mechanism.*, i.e. everything that cups-pk-helper provides. You can also extend that to org.fedoraproject.config.* for the other configuration tools in Fedora, and org.libvirt.unix.* for everything to do with virtualization, etc. Yes, it is a bit mad that you get so many root passwords when adding a printer, but system-config-printer needs to use these actions: * org.fedoraproject.config.firewall.auth (to read the firewall configuration, to be able to offer the ability to actually find any network printers) * org.opensuse.cupspkhelper.mechanism.devices-get (to be able to find any devices at all) * org.opensuse.cupspkhelper.mechanism.printeraddremove (to be able to actually add a printer) The policy for these actions is shipped as part of the cups-pk-helper package. The over-arching Fedora policy that specifies what the package must ship is here: https://fedoraproject.org/wiki/Privilege_escalation_policy Tim. */ signature.asc Description: This is a digitally signed message part -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: root password prompts
On Thu, 2010-05-27 at 01:17 -0500, Mike McCarty wrote: No, I mean sudo. In the default config it prompts for the user's password. But the OP asked about root password, not the user's password. And I replied in order to help him with his underlying need, which is not to know the root password but to be able to use root privileges without repeatedly having to type a password. IOW I assumed I was replying to what he meant rather than what he said. Since he hasn't contradicted that impression, I stand by my reply. poc -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: root password prompts
On Thu, 2010-05-27 at 02:27 -0500, Mike McCarty wrote: The fellow I responded to is contributing to a thread which concerns precise differences between how different tools handle security. He already wrote one inaccurate statement, from which I infer that he is not writing very clearly, and possibly not thinking very clearly, about what takes place when these programs run, to wit, implying that sudo prompts for root's password, which it does not. When I tried to read behind what he wrote, which was obviously inaccurate, and supposed that he meant su, he corrected me, reinforcing my belief that he was not giving due consideration to what he is writing. Speaking as the fellow you are presumably referring to, your account, dripping with condescension despite your assertion that it isn't about ego or posturing, signally fails to mention my further reply to this point. There is no confusion in my mind about what was said, there is no confusion in my mind about sudo and how it works, there is no confusion about what the OP wanted to know (which is not the same as what he said he wanted to know). The only one who's confused about what was said appears to be you, since you again state that I think sudo remembers passwords, despite my replying that I don't think that and that the very idea is insane. poc -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: root password prompts
On Wed, 2010-05-26 at 14:39 -0400, Tom Horsley wrote: I have seen claims on this list that the root password is remembered for a small amount of time so you don't keep getting asked. That has never worked for me, but I assumed it was just because I was running a non-standard session and was missing something. Today I was running system-config-printer to install all the various printers around here at work on a freshly installed fedora 13 system running as a brand new user in a standard gnome session. I get three or four root password prompts for each separate printer install. Where is this mythical setting to make it remember the password? AFAIK this is a function of 'sudo'. It asks you the first time and remembers for a few minutes after. I've never seen this behaviour other than with sudo. poc -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: root password prompts
Patrick O'Callaghan wrote: On Wed, 2010-05-26 at 14:39 -0400, Tom Horsley wrote: [...] Where is this mythical setting to make it remember the password? AFAIK this is a function of 'sudo'. It asks you the first time and remembers for a few minutes after. I've never seen this behaviour other than with sudo. Umm, perhaps you mean su. The sudo command does not prompt for the root password. It doesn't remember the password. It makes an entry in a log with the epoch. When next invoked, sudo checks the latest entry, and if less than a certain amount of time has elapsed, simply goes on. If more than the time limit has elapsed, then it prompts, and makes a new entry. Mike -- p=p=%c%s%c;main(){printf(p,34,p,34);};main(){printf(p,34,p,34);} Oppose globalization and One World Governments like the UN. This message made from 100% recycled bits. You have found the bank of Larn. I speak only for myself, and I am unanimous in that! -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: root password prompts
Mike McCarty wrote: Patrick O'Callaghan wrote: On Wed, 2010-05-26 at 14:39 -0400, Tom Horsley wrote: [...] Where is this mythical setting to make it remember the password? AFAIK this is a function of 'sudo'. It asks you the first time and remembers for a few minutes after. I've never seen this behaviour other than with sudo. Umm, perhaps you mean su. The sudo command does not prompt for the root password. I guess this is too brief. The sudo command does not prompt for the root password. The su command may prompt for the root password, and always does if it ever does, unless being invoked by root. The sudo command does make entries in a log which it checks, and if it prompts for the user password (not root, even if root invokes it) then it does not do so if invoked again by the same user within a certain time period. I hope that isn't too confusing. I'm sure man su and man sudo will help untangle it all. Mike -- p=p=%c%s%c;main(){printf(p,34,p,34);};main(){printf(p,34,p,34);} Oppose globalization and One World Governments like the UN. This message made from 100% recycled bits. You have found the bank of Larn. I speak only for myself, and I am unanimous in that! -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: root password prompts
On Wed, 2010-05-26 at 14:48 -0500, Mike McCarty wrote: AFAIK this is a function of 'sudo'. It asks you the first time and remembers for a few minutes after. I've never seen this behaviour other than with sudo. Umm, perhaps you mean su. The sudo command does not prompt for the root password. No, I mean sudo. In the default config it prompts for the user's password. It doesn't remember the password. It makes an entry in a log with the epoch. When next invoked, sudo checks the latest entry, and if less than a certain amount of time has elapsed, simply goes on. If more than the time limit has elapsed, then it prompts, and makes a new entry. IOW it remembers it by logging it. How else would it do it except by recording it in a file? poc -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: root password prompts
and makes a new entry. IOW it remembers it by logging it. How else would it do it except by recording it in a file? poc It is an suid program - it doesn't need a password unless the policy chooses to ask for one. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: root password prompts
On Wed, May 26, 2010 at 2:39 PM, Tom Horsley horsley1...@gmail.com wrote: I have seen claims on this list that the root password is remembered for a small amount of time so you don't keep getting asked. That has never worked for me, but I assumed it was just because I was running a non-standard session and was missing something. Today I was running system-config-printer to install all the various printers around here at work on a freshly installed fedora 13 system running as a brand new user in a standard gnome session. I get three or four root password prompts for each separate printer install. Where is this mythical setting to make it remember the password? I have never seen su remember a password but sudo does. You can set the time-period for which the password is remembered with timestamp_timeout in /etc/sudoers. The default might vary from distribution to distribution. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: root password prompts
On Wed, 2010-05-26 at 16:59 -0400, Genes MailLists wrote: and makes a new entry. IOW it remembers it by logging it. How else would it do it except by recording it in a file? poc It is an suid program - it doesn't need a password unless the policy chooses to ask for one. Perhaps I wasn't clear enough. What I meant by it in the above is not the password itself (which of course it doesn't record, that would be insane) but the fact that the user authenticated at a certain time. poc -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: root password prompts
On Wednesday 26 May 2010 02:27 PM, Tom H wrote: On Wed, May 26, 2010 at 2:39 PM, Tom Horsleyhorsley1...@gmail.com wrote: I have seen claims on this list that the root password is remembered for a small amount of time so you don't keep getting asked. That has never worked for me, but I assumed it was just because I was running a non-standard session and was missing something. Today I was running system-config-printer to install all the various printers around here at work on a freshly installed fedora 13 system running as a brand new user in a standard gnome session. I get three or four root password prompts for each separate printer install. Where is this mythical setting to make it remember the password? I have never seen su remember a password but sudo does. You can set the time-period for which the password is remembered with timestamp_timeout in /etc/sudoers. The default might vary from distribution to distribution. I believe what the OP is asking is the gui utility that remembers the authentication after a user enters the root password after the prompt by a gui dialogue. As far as I know this facility used to be offered by policykit and the way to set this was to use polkit-gnome-authorization. But that particular utility has been unavailable since Fedora 12. In short you are better off configuring sudo and calling system-config-printer from the terminal like this, $ sudo system-config-printer -- Suvayu Open source is the future. It sets us free. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: root password prompts
On Wed, 26 May 2010 15:17:41 -0700 Suvayu Ali wrote: In short you are better off configuring sudo and calling system-config-printer from the terminal like this, $ sudo system-config-printer Yes, running this stuff as root usually works (except for the brief period of time where the code refused to authorize root to run as root :-), but I was just trying out the normal interface to see if it worked as I'd been told. I guess it doesn't. The system-config-printer case seems to be the most insane with separate root prompts showing up at several stages of the printer definition process. This, of course, brings up the whole login as root controversy, since it isn't at all obvious what the heck the names of the programs are which are associated with menu items, so it is far simpler to login as root in order to run these things without getting prompted over and over. Those in the know can grep in the /usr/share/applications directory or just ls /usr/bin/system-config-* and make good guesses, but it takes a while to stumble across that info. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: root password prompts
On 05/26/2010 06:17 PM, Suvayu Ali wrote: In short you are better off configuring sudo and calling system-config-printer from the terminal like this, $ sudo system-config-printer Sort of begs the question why the GUI does not use sudo ... let the gui do what it does best .. goo-eee .. and leave the sudo'ing to sudo ??? Or is that how it worked ? -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: root password prompts
On Wed, May 26, 2010 at 6:17 PM, Suvayu Ali fatkasuvayu+li...@gmail.com wrote: On Wednesday 26 May 2010 02:27 PM, Tom H wrote: On Wed, May 26, 2010 at 2:39 PM, Tom Horsleyhorsley1...@gmail.com wrote: I have seen claims on this list that the root password is remembered for a small amount of time so you don't keep getting asked. That has never worked for me, but I assumed it was just because I was running a non-standard session and was missing something. Today I was running system-config-printer to install all the various printers around here at work on a freshly installed fedora 13 system running as a brand new user in a standard gnome session. I get three or four root password prompts for each separate printer install. Where is this mythical setting to make it remember the password? I have never seen su remember a password but sudo does. You can set the time-period for which the password is remembered with timestamp_timeout in /etc/sudoers. The default might vary from distribution to distribution. I believe what the OP is asking is the gui utility that remembers the authentication after a user enters the root password after the prompt by a gui dialogue. You're right. I was being stupid! As far as I know this facility used to be offered by policykit and the way to set this was to use polkit-gnome-authorization. But that particular utility has been unavailable since Fedora 12. AFAIK the polkit gui was removed as of F12 and policies are now set up by creating a pkla file in one of the subdirectories of /var/lib/polkit-1/localauthority. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: root password prompts
On Wednesday 26 May 2010 05:56 PM, Tom H wrote: On Wed, May 26, 2010 at 6:17 PM, Suvayu Alifatkasuvayu+li...@gmail.com wrote: I believe what the OP is asking is the gui utility that remembers the authentication after a user enters the root password after the prompt by a gui dialogue. You're right. I was being stupid! Happens to all of us from time to time. ;) As far as I know this facility used to be offered by policykit and the way to set this was to use polkit-gnome-authorization. But that particular utility has been unavailable since Fedora 12. AFAIK the polkit gui was removed as of F12 and policies are now set up by creating a pkla file in one of the subdirectories of /var/lib/polkit-1/localauthority. I thought the backend has always been the same, even with the polkit gui from F11? It was a very handy way to set things up and control the level of access I want to give to a regular user. After extensive searching I have been unable to find any proper justification for the removal. The closest I got was a thread on the desktop-list where the polkit developers responded to a query by a Fedora contributor with a, It has been removed, not bringing it back again.. On a subsequent post by another contributor complaining about the obscurity of the man page explaining how to make the changes by hand (fiddling with the pkla files), was responded with a submit a patch for the man page. I gave up on this ever since. When I have the time I would like to file an RFE on bugzilla about this. -- Suvayu Open source is the future. It sets us free. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: root password prompts
On Wednesday 26 May 2010 10:41 PM, Suvayu Ali wrote: On Wednesday 26 May 2010 05:56 PM, Tom H wrote: On Wed, May 26, 2010 at 6:17 PM, Suvayu Alifatkasuvayu+li...@gmail.com wrote: I believe what the OP is asking is the gui utility that remembers the authentication after a user enters the root password after the prompt by a gui dialogue. You're right. I was being stupid! Happens to all of us from time to time. ;) As far as I know this facility used to be offered by policykit and the way to set this was to use polkit-gnome-authorization. But that particular utility has been unavailable since Fedora 12. AFAIK the polkit gui was removed as of F12 and policies are now set up by creating a pkla file in one of the subdirectories of /var/lib/polkit-1/localauthority. I thought the backend has always been the same, even with the polkit gui from F11? It was a very handy way to set things up and control the level of access I want to give to a regular user. After extensive searching I have been unable to find any proper justification for the removal. The closest I got was a thread on the desktop-list where the polkit developers responded to a query by a Fedora contributor with a, It has been removed, not bringing it back again.. On a subsequent post by another contributor complaining about the obscurity of the man page explaining how to make the changes by hand (fiddling with the pkla files), was responded with a submit a patch for the man page. I gave up on this ever since. The said link, almost exactly as I remembered ... quite sad. :( http://www.opensubscriber.com/message/fedora-desktop-l...@redhat.com/12934572.html When I have the time I would like to file an RFE on bugzilla about this. -- Suvayu Open source is the future. It sets us free. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines