[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security hole in LXDE?

As a user and as I understand it you should not be able to make
system-wide changes and many packages affect other parts of the system.
A user can install and run any package that does not affect the system,
as a stand alone.  The system is a whole must be maintained by the
sysadmin for all users.  That is my simplistic understanding.
Unless it is specifically configured otherwise I don't see why these
assumptions would be wrong.  Imagine if I like MATE and the other user
likes X11 and I delete x11 and install MATE, or I install a package that
has dependency conflicts and replaces what is essential for the other
users' packages.

Live systems allow you to install whatever you like as they assume you
are the root or sysadmin.

At least that is how I understand security policy for this system.

David Wright:
> On Mon 27 Feb 2017 at 11:13:00 (+0000), GiaThnYgeia wrote:
>> testingAmd64LXDE
>>
>> I have never, not once, been able to run synaptic in any similar system
>> without a root or a sudo password.  Not to execute a command, just to
>> get the gui up you need a password.
> 
> Why would that be? You should be able to do so. There's a popup
> window that says this:
> 
>   Starting "Synaptic Package Manager" without administrative privileges
> 
>   You will not be able to apply any changes, but you can still export
>   the marked changes or create a download script for them.
> 
> I can select packages, look at their properties, dependencies,
> installed files, get changelogs etc. I can edit some of the
> preferences. I can see the immediate effects of that in files
> like ~/.synaptic/synaptic.conf when I click OK. I can select
> packages for installation and it will write a little script
> for me:
> 
>  #!/bin/sh
>  wget -c
>  http://ftp.us.debian.org/debian/pool/non-free/i/ibm-3270/3270-common_3.3.14ga11-1_i386.deb
> 
> So it suggests that the OP has set something in their system
> to cause the behaviour they observe, both the popup and the
> fact that a user's password is sufficient for installing software.
> 
> I can run (the similar program) aptitude likewise. The main differences
> with synaptic are that aptitude is in the user's normal PATH (whereas
> synaptic is in /usr/sbin); when you try to install, it asks you to
> consider becoming root from the Actions menu; and if you persist, it
> gives you the option to become root in a dialog box, and you can then
> type the root password.
> 
>> I don't know whether creating a user with 100% admin privileges will
>> still require a pass or not, I suspect it would still.  As if you add a
>> user in the sudo group it is the user's pass that is asked.  So
>> something is wrong on your specific installation.
>>
>> Hans:
>>> Am Montag, 27. Februar 2017, 21:00:15 CET schrieb Davor Balder:
>>>> Hi Hans,
>>>>
>>>> Question 1 which one: stable, testing or unstable?
>>>
>>> testing/amd64
>>>>
>>>> Generally (to aid in your investigation):
>>>>
>>> I did, but found nothing unusual. 
>>>
>>> If no one can confirm this, it is a problem on my system!
> 
> Cheers,
> David.
> 

-- 
 "The most violent element in society is ignorance" rEG
Reply to: