Re: Security hole in LXDE?

To: debian-user@lists.debian.org
Subject: Re: Security hole in LXDE?
From: David Wright <deblis@lionunicorn.co.uk>
Date: Mon, 27 Feb 2017 15:49:58 -0600
Message-id: <[🔎] 20170227214958.GA12529@alum>
Reply-to: debian-user@lists.debian.org
In-reply-to: <[🔎] f9f56a89-ea7f-c96d-8143-7e0214b87494@openmailbox.org>
References: <[🔎] 7419461.KfDLPVJcsL@protheus1> <[🔎] 44c6d110-2214-7226-4a8d-38e940d99613@cropakglobal.com> <[🔎] 4720619.kA2Lf0eR9E@protheus7> <[🔎] f9f56a89-ea7f-c96d-8143-7e0214b87494@openmailbox.org>

On Mon 27 Feb 2017 at 11:13:00 (+0000), GiaThnYgeia wrote:
> testingAmd64LXDE
> 
> I have never, not once, been able to run synaptic in any similar system
> without a root or a sudo password.  Not to execute a command, just to
> get the gui up you need a password.

Why would that be? You should be able to do so. There's a popup
window that says this:

  Starting "Synaptic Package Manager" without administrative privileges

  You will not be able to apply any changes, but you can still export
  the marked changes or create a download script for them.

I can select packages, look at their properties, dependencies,
installed files, get changelogs etc. I can edit some of the
preferences. I can see the immediate effects of that in files
like ~/.synaptic/synaptic.conf when I click OK. I can select
packages for installation and it will write a little script
for me:

 #!/bin/sh
 wget -c
 http://ftp.us.debian.org/debian/pool/non-free/i/ibm-3270/3270-common_3.3.14ga11-1_i386.deb

So it suggests that the OP has set something in their system
to cause the behaviour they observe, both the popup and the
fact that a user's password is sufficient for installing software.

I can run (the similar program) aptitude likewise. The main differences
with synaptic are that aptitude is in the user's normal PATH (whereas
synaptic is in /usr/sbin); when you try to install, it asks you to
consider becoming root from the Actions menu; and if you persist, it
gives you the option to become root in a dialog box, and you can then
type the root password.

> I don't know whether creating a user with 100% admin privileges will
> still require a pass or not, I suspect it would still.  As if you add a
> user in the sudo group it is the user's pass that is asked.  So
> something is wrong on your specific installation.
> 
> Hans:
> > Am Montag, 27. Februar 2017, 21:00:15 CET schrieb Davor Balder:
> >> Hi Hans,
> >>
> >> Question 1 which one: stable, testing or unstable?
> > 
> > testing/amd64
> >>
> >> Generally (to aid in your investigation):
> >>
> > I did, but found nothing unusual. 
> > 
> > If no one can confirm this, it is a problem on my system!

Cheers,
David.

Reply to:

Follow-Ups:
- Re: Security hole in LXDE?
  - From: Hans <hans.ullrich@loop.de>
- Re: Security hole in LXDE?
  - From: GiaThnYgeia <GiaThnYgeia@openmailbox.org>

References:
- Security hole in LXDE?
  - From: Hans <hans.ullrich@loop.de>
- Re: Security hole in LXDE?
  - From: Davor Balder <davor@cropakglobal.com>
- Re: Security hole in LXDE?
  - From: Hans <hans.ullrich@loop.de>
- Re: Security hole in LXDE?
  - From: GiaThnYgeia <GiaThnYgeia@openmailbox.org>

Prev by Date: Re: X won't start after installing openbox
Next by Date: Re: X won't start after installing openbox
Previous by thread: Re: Security hole in LXDE?
Next by thread: Re: Security hole in LXDE?
Index(es):
- Date
- Thread