Packages of "standard" priority in a fresh cdebootstrapped system as dependencies of packages with higher priorities.

[Jayson Willson]

Hello! I have just installed a Debian Stable system with cdebootstrap 
(cdebootstrap jessie ./ http://ftp.ru.debian.org/debian/) and in this 
new system I found the following packages, which have "standard" priority:


libcap2
libdb5.3
libgcrypt20
libgnutls-deb0-28
libgnutls-openssl27
libgpg-error0
libidn11
libp11-kit0
libtasn1-6

According to "aptitude why", they are installed for the following reasons:

i   systemd Depends libcap2 (>= 1:2.10)
i   libpam-modules PreDepends libdb5.3
i   systemd PreDepends libgcrypt20 (>= 1.6.1)
i   wget Depends libgnutls-deb0-28 (>= 3.3.0)
i   iputils-ping Depends libgnutls-openssl27 (>= 3.0-0)
i   libgcrypt20 Depends libgpg-error0 (>= 1.14)
i   wget Depends libidn11 (>= 1.13)
i   libgnutls-deb0-28 Depends libp11-kit0 (>= 0.20.7)
i   libgnutls-deb0-28 Depends libtasn1-6 (>= 4.1-0)

However, according to Debian Policy 
(https://www.debian.org/doc/debian-policy/ch-archive.html), "Packages 
must not depend on packages with lower priority values (excluding 
build-time dependencies)."


Should I report this incident somewhere, or is it ok? Thank you.


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/55b28035.5020...@gmail.com

Re: Packages of "standard" priority in a fresh cdebootstrapped system as dependencies of packages with higher priorities.

[Jayson Willson]

Thank you, now I understand.


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/55b33430.7030...@gmail.com

Who has rights to override/ignore systemd inhibitors?

[Jayson Willson]

Hello. I have realized, that my user (groups: 
tty,disk,mail,news,dialout,voice,sudo,audio,www-data,video,plugdev,users,mlocate,kvm,vboxusers,libvirt) 
can ignore inhibitors (such as root being logged in) using "systemctl 
suspend/poweroff/etc -i" without password prompt (with standard polkit 
configuration and without NOPASSWD in sudoers). I have asked in 
systemd-devel, why does it happen, and Lennart has answered, that 
authentication is handled by Polkit policy in file 
/usr/share/polkit-1/actions/org.freedesktop.login1.policy


That's what I have in this file:


Power off the system while an application 
asked to inhibit it
Authentication is required for powering off 
the system while an application asked to inhibit it.


auth_admin_keep
auth_admin_keep
auth_admin_keep

key="org.freedesktop.policykit.imply">org.freedesktop.login1.power-off



It seems like authentication IS required to poweroff/suspend/etc system, 
disregarding inhibitors. However, on my system, without any special 
polkit configuration standard user (which is in the groups mentioned 
above) can ignore inhibitors by running systemctl poweroff -i without 
being asked for authentication.
Could you please help me to understand, why doest it happen and how can 
I change this behaviour? Thank you.

Re: Who has rights to override/ignore systemd inhibitors?

[Jayson Willson]

Thank you very much for your answer, I have understood everything.
Only one question is left:
Does it mean, that with such configuration those users, which are 
connected using ssh, for example, won't be able to shutdown computer, 
unless he passes polkit authentication? Also, are users, who logged in 
using display manager considered local?

How to read mail addressed to "root" from "root" user?

[Jayson Willson]

I would like to be able to read mail, which is addressed to "root" as 
"root" user. When I configured exim4-config, I have set "root" as user, 
which all the mail sent to "root" will be forwarded to. But now all the 
mail sent to root comes to /var/mail/mail, and when I run "mail" as 
root, I get message: No mail for root. Could you please tell me, what 
should I do, if I want to read root's mail from root account?

Thank you.
--
Yours sincerely, Jayson Willson

Re: How to read mail addressed to "root" from "root" user?

[Jayson Willson]

Thank you very much for your answer!
Could you please tell me, why is it recommended to forward root's mail 
to regular user? I sometimes log in as root on tty or via sudo to 
administer system, and thus I would be able to have root's and user's 
mailboxes separated, while still reading root's mail. Is there anything 
that I have missed?


Yours sincerely, Jayson Willson

31.08.2015 19:59, Marc Haber пишет:

On Mon, 31 Aug 2015 19:08:20 +0300, Jayson Willson
 wrote:

I would like to be able to read mail, which is addressed to "root" as
"root" user. When I configured exim4-config, I have set "root" as user,
which all the mail sent to "root" will be forwarded to. But now all the
mail sent to root comes to /var/mail/mail, and when I run "mail" as
root, I get message: No mail for root. Could you please tell me, what
should I do, if I want to read root's mail from root account?


mutt -f /var/mail/mail

You should really have root's mail delivered to a regular user.

Greetings
Marc

Re: Polkit: prompt for root password

[Jayson Willson]

I have also tried creating 
/usr/share/polkit-1/rules.d/49-rootpw_global.rules with the same 
contents, as it seems like some other rules reside there. Still no result


Yours sincerely, Jayson Willson

31.08.2015 13:49, Jayson Willson пишет:

Hello everybody!
I would like Polkit to prompt for _root_ password, not _user_ password.
On archwiki I found the following advice: create
/etc/polkit-1/rules.d/49-nopasswd_global.rules

and put the following into it:

/etc/polkit-1/rules.d/49-rootpw_global.rules

/* Always authenticate Admins by prompting for the root
  * password, similar to the rootpw option in sudo
  */
polkit.addAdminRule(function(action, subject) {
 return ["unix-user:root"];
});


However, it doesn't work on my Debian Stable system even after I reboot
the system. Polkit still prompts for user password. What should I do?

Re: Polkit: prompt for root password

[Jayson Willson]

Thank you for your advice, I have found the way:
Comment out file 
/etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf, which overrides 
/etc/polkit-1/localauthority.conf.d/50-localauthority.conf and makes 
polkit consider members of "sudo" groups as administrators.


Yours sincerely, Jayson Willson

01.09.2015 21:16, Matthias Klumpp пишет:

2015-09-01 19:49 GMT+02:00 Jayson Willson mailto:jaysonwillson...@gmail.com>>:

I have also tried creating
/usr/share/polkit-1/rules.d/49-rootpw_global.rules with the same
contents, [...]


The problem with that is simply that the PolicyKit in Debian
Unstable/Testing/Stable does not read the JavaScript rules files.
Only the version using JS-based rules files (in experimental for ages)
does that. So you might want to search for a solution using the old
configuration syntax here.
Cheers,
 Matthias

Re: Polkit: prompt for root password

[Jayson Willson]

It seems to me, that such approach will increase security. If "sudo" and 
"policykit" prompt for user password, then even if some other man knows 
my user password, he can administer system, as he can both log into the 
system and user sudo/polkit, but if root password is required for using 
sudo/polkit, then knowing my user's password is not enough, and the only 
thing he will be able to change is files in /home/user.


Yours sincerely, Jayson Willson

01.09.2015 21:45, Michael Biebl пишет:

Am 01.09.2015 um 20:29 schrieb Jayson Willson:

Thank you for your advice, I have found the way:
Comment out file
/etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf, which overrides
/etc/polkit-1/localauthority.conf.d/50-localauthority.conf and makes
polkit consider members of "sudo" groups as administrators.


So you user was in group "sudo", having admin privileges.
Just curious: why do you then want to prompt for the root password and
not the user password for that user?

Re: Polkit: prompt for root password

[Jayson Willson]

Ehmm... I do not know. Probably, what I have done is not correct. As I 
understand, if my user is NOT in sudo group, then su prompts for root 
password (just as always), and polkit will also prompt for root 
password, instead of my user's.
However, sudo seems to be more flexible, and though I do not need all of 
it's flexibility now, I may need it later.

All the changes, which I had to make is:
add
"Defaults  rootpw"
to /etc/sudoers
and do polkit rules changes mentioned above. Are there any reasons _not_ 
to change config files and switch to su without sudo instead?


Yours sincerely, Jayson Willson

01.09.2015 22:02, Michael Biebl пишет:

Am 01.09.2015 um 20:54 schrieb Jayson Willson:

It seems to me, that such approach will increase security. If "sudo" and
"policykit" prompt for user password, then even if some other man knows
my user password, he can administer system, as he can both log into the
system and user sudo/polkit, but if root password is required for using
sudo/polkit, then knowing my user's password is not enough, and the only
thing he will be able to change is files in /home/user.


Why did you then put your user in group sudo in the first place if what
you want is "su" type behaviour?

Strange units in systemd graphical.target

[Jayson Willson]

systemctl list-dependencies:
http://pastebin.com/EkdYjp7X

In my system default.target is symlink to graphical.target.
It does not seem obvious to me, why such services as exim4, tor, gpm, fail2ban 
are both in default.target==graphical.target and in multi-user.target.

Seems like only lightdm is specific for graphical system. 
Could you please clarify this situation? Thank you.

Re: Strange units in systemd graphical.target

[Jayson Willson]

Thank you, everything is clear now.