On Thu 02 Mar 2017 at 14:12:59 (+0100), to...@tuxteam.de wrote: > On Thu, Mar 02, 2017 at 01:19:00PM +0100, Hans wrote: > > Hi Tomas > > > Hm. I'm not sure I've got that one right. Who has allowed the standard > > > user to execute applications with root rights? How? > > It was me, beeing haven asked by of the root password and (of course) gave > > the > > correct one, I allowed the user, to start applications with root rights > > OK, to recap: you started synaptics (as regular user), and for the first time > you were asked a password. You gave the root (not the user's) password, and > from then on you could start synaptics as a regular user without having to > enter a password. Is that right?
If you're trying to clarify things, you have to tighten that up considerably. Any regular user can start synaptics without a password, as I already posted in this thread. I can guess what you mean, and I don't think that is what happened. (What I _think_ you mean is that by using the root password in that situation on one occasion, the system has "remembered", and now you don't need the apssword any more. I don't think that happened. I think the OP configured something at an ealier time and has forgotten.) > > (besides, I am the user and root, as i is my personal computer) > > Yes, I get that. That's (more or less) how most of us do things. > > > > > I also found out, that the user is in group "sudo", but got no entry in > > > > /etc/ sudoers. > > > > > > Again: who "got no entry in /etc/sudoers"? The user in question? Or the > > > group "sudo"? > > > > It is the user, whom I allowed, to the above. > > OK, let me summarize that: > > - there is a file /etc/sudoers > - the "user" (let's call him "hans") has *no* entry in /etc/sudoers > > Is that right? > > That would be a typical setup (on my box it is exactly like that). The > group sudo is in the /etc/sudoers, and you give users sudo powers by > adding them to the sudo group. Typically things are set up in a way > that the user has still to enter *her* password. You can easily check > which groups a user is in with the "groups" command. In my box: > > tomas@rasputin:~$ groups tomas > tomas : tomas cdrom floppy sudo audio dip video plugdev scanner netdev > bluetooth kvm > > With this setup (and supposed /etc/sudoers has this: > > # Allow members of group sudo to execute any command > %sudo ALL=(ALL:ALL) ALL > > I can use sudo like so: > > tomas@rasputin:~$ sudo ls > [sudo] password for tomas: > 33c3 fr letters [...] > > Note that it asked me for a password. My password (not root). You can > configure > /etc/sudoers to *not* ask for a password, to do it only for certain commands > and tons of other things (cf. man 5 sudoers). Sudo remembers whithin a > session, > and for a limited time (default is 15 minutes) the password given, so next > command won't ask you, if you are quick enough. Can be changed in > /etc/sudoers. > > > > > Seems so. I'm still confused: I don't know whether the desktop > > > > environment > > > is the one granting you root privileges (I can't help with that; I don't > > > "do" desktop environments) or whether it is sudo (or whether it is the > > > DE based on the sudo settings). > > > > No, no, the desktop just edits the settings, after a correct given root > > password, to start the special applications with root right sin future > > times. > > You mean: the desktop edits /etc/sudoers? I have had many reasons to kick > DEs out of my box many years ago, but this would be one reason more :-( > > Are you sure? > > > > The sudo part is pretty easy to find out (no clickety way, sorry). Try, > > > in a shell those two things: > > > > > > sudo ls > > > > > > > Gives the same als "ls". > > Without being asked for *any* password? Sudo supports that (NOPASSWD), but > it's not the default. > > OK. Then obviously you have sudoers running, (1) your user (hans) is allowed > sudo (most probably via its group) and (2) either you have a NOPASSWD policy, > or (3) the credentials are cached from a previous successful sudo. If you > opened your shell explicitly for this experiment, that would almost surely > rule out (3). > > > > sudo synaptic > > sudo synaptic > > sudo: Hostname protheus1 kann nicht aufgelöst werden > > No protocol specified > > Unable to init server: Verbindung ist gescheitert:Verbindungsaufbau > > abgelehnt > > > > (synaptic:25373): Gtk-WARNING **: cannot open display: :0 > > That's funny, but hasn't to do with our current problem. Probably sudo, by > stripping the environment, has dropped some vital environment variable > (f. ex. http_proxy or something). Might be fixable by invoking "sudo -E", > but let's forget about that for now, to not get side-tracked. > > > > What happens in each case? Do you get a password prompt? Is synaptic > > > started in user mode or in root mode? > > > > > > > No, as it is not root's environment, but the users one. However, su -p does > > the trick. > > Heh. So we reach the same conclusion. > > > > > So, my question: How can I get this all back. A graphical solution is > > > > preferred, of course I knnow, I can edit /etc/groups and other things > > > > manually. But if there is a "clicky"-way, this will be preferred. > > > > > > Be careful when editing /etc/groups. There are things for that like > > > adduser and addgroup. To remove your user from group sudo: > > > > > > sudo deluser <username> sudo > > > > > > Whether that helps or not depends on all of the above, of course :-) > > > > > > But **first of all** you've got to get clear on what you want: > > > > > > - shall the regular user not be able to call synaptic in > > > "root mode" _at all_? > > > > > > > The user shall not be able to start any application of with root rights. > > Never? Then removing (hans) from the sudo group seems to be the most > "standard" way of achieving that. Yes, that would be reverting to the default state, ie sudo:x:27: in /etc/group. > > > - yes, but only after entering root password? > > > Exactly. > > Now I'm confused. This contradicts the above. Perhaps you mean that the > user has to *login as root*. Sudo has the possibility to ask the root > password from the regular user instead of her own password (see the > rootpw, targetpw and runaspw flags in the sudoers(5) man page for all > the details). > > > > - yes, but only after entering her password? > > > > > No, this is the actual situation. > > Aha. But the user password is still necessary? > > OK. Perhaps you just prefer the "classic" su behaviour and don't need > sudo at all (still: I'd recommend getting used to sudo. I don't embrace > every novelty, but this one was, after getting used, quite nice). But > hey, it's your toolbox :) > > So just de-installing sudo might be an option for you (make sure your > package manager doesn't want to throw away half of your system -- I've > no idea what packages depend on sudo). I think I would lose the ability to configure wifi APs as a user if I lost sudo. But I can't see that there's any point in removing sudo if you . add noone to group sudo . add nothing to /etc/sudoers.d/ . add nothing to /etc/sudoers Would I be right? BTW one thing I don't understand about sudo is why /etc/sudoers.d/README is not world-readable. Cheers, David.
