Re: Sid Synaptic authenticates with sudo
On Fri, Jun 15, 2012 at 10:45 PM, Mark Allums <mark@allums.com> wrote:
> On 6/15/2012 7:01 PM, Tom H wrote:
>> On Fri, Jun 15, 2012 at 7:41 PM, Tom H <tomh0665@gmail.com> wrote:
>>> On Fri, Jun 15, 2012 at 6:08 PM, Mark Allums <mark@allums.com> wrote:
>>>>
>>>> Synaptic has begun asking for my user password rather than the root
>>>> password. Why is this happening, and how do I make it stop? I want
>>>> only
>>>> users with root privileges to use apt/aptitude/synaptic/gdebi/etc. and I
>>>> want the original behavior restored.
>>>
>>>
>>> I don't have a Debian install with a DE to verify the following but
>>> I'd check "/etc/polkit-1/localauthority.conf.d/" where there's most
>>> likely a file defining the polkit admin users.
>>>
>>> (Do you have users on your system who can sudo to root and not su to
>>> root?!)
>>
>>
>> check "/etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf".
>>
>>> From "policykit-1_0.96-4+squeeze2.diff":
>>
>>
>> +binary-install/policykit-1::
>> + # when building for Ubuntu, allow the admin group, on Debian use
>> sudo group
>> + if [ "$(DISTRO)" = "Ubuntu" ]; then \
>> + /bin/echo -e
>> "[Configuration]\nAdminIdentities=unix-group:admin"
>>>
>>>
>>> debian/policykit-1/etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf;
>>
>> \
>> + elif [ "$(DISTRO)" = "Debian" ]; then \
>> + /bin/echo -e
>> "[Configuration]\nAdminIdentities=unix-group:sudo"
>>>
>>>
>>> debian/policykit-1/etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf;
>>
>> \
>> + fi
>>
>> Looking at the changelog, this was done (unless I'm misunderstanding
>> the entry) in 2010:
>>
>> policykit-1 (0.96-4) unstable; urgency=low
>>
>> * debian/rules
>> - When building for Debian, install a localauthority.conf.d
>> configuration
>> file which considers "sudo" group users as administrators.
>> (Closes: #532499)
>>
>> -- Michael Biebl <biebl@debian.org> Tue, 16 Nov 2010 23:21:50 +0100
>
> Thanks for that. I should have realized. It was indeed set to sudo. A bit
> infuriating.
>
> I am currently the only sudo-er, and I want it to stay that way. I am also
> currently the only possessor of the root password. (In event of my
> incapacity, they are in a safe place.) Nevertheless, there are (some
> possibly silly) reasons for my distress. Anyway...
>
> Oddly, if this change was made so long ago, then why did it just now change
> behavior on my Sid machines, and why has it not happened to my Wheezy
> machines?
>
> It is unique to Synaptic (it seems) on my Sid machines. For instance,
> starting a root terminal brings up the usual "Enter the administrative
> password" dialog. Also, on my Wheezy machines, the setting is the same, but
> on them, Synaptic still asks for the root password, not the user password.
>
> So, while Policykit is a good lead, but I don't think it is the source of
> the change.
>
> Thanks for your suggestions,
You're welcome. PolicyKit can be more fine-grained than just setting
an admin group. You can find specific synaptic authorizations by
running "pkaction" and then display the actual authorization with
"pkaction --verbose --action-id <actionname>".
Reply to: