Re: Security hole in LXDE?

To: debian-user@lists.debian.org
Subject: Re: Security hole in LXDE?
From: Hans <hans.ullrich@loop.de>
Date: Thu, 02 Mar 2017 14:32:19 +0100
Message-id: <[🔎] 1857514.Amd6fi56zX@protheus1>
In-reply-to: <[🔎] 20170302131259.GA23864@tuxteam.de>
References: <7419461.KfDLPVJcsL@protheus1> <[🔎] 5578378.u6O0tEx47v@protheus1> <[🔎] 20170302131259.GA23864@tuxteam.de>

> OK, to recap: you started synaptics (as regular user), and for the first
> time you were asked a password. You gave the root (not the user's)
> password, and from then on you could start synaptics as a regular user
> without having to enter a password. Is that right?
> 

Correct. Howver, this is an implemented option, to allow normal users to start 
applications with root rights. Note: Root has to allow this!

>  - there is a file /etc/sudoers
>  - the "user" (let's call him "hans") has *no* entry in /etc/sudoers
> 
> Is that right?
> 

Correct. The user "hans" has no entry in /etc/sudoers. Note, that the user 
hans is in group "sudo".

groups
hans lp uucp dialout cdrom floppy sudo audio dip video plugdev games users 
powerdev debian-tor netdev scanner wireshark kismet

> That would be a typical setup (on my box it is exactly like that). The
> group sudo is in the /etc/sudoers, and you give users sudo powers by
> adding them to the sudo group. Typically things are set up in a way
> that the user has still to enter *her* password. You can easily check
> which groups a user is in with the "groups" command. In my box:
> 
>   tomas@rasputin:~$ groups tomas
>   tomas : tomas cdrom floppy sudo audio dip video plugdev scanner netdev
> bluetooth kvm
> 
> With this setup (and supposed /etc/sudoers has this:
> 
>   # Allow members of group sudo to execute any command
>   %sudo   ALL=(ALL:ALL) ALL
> 
> I can use sudo like so:
> 
>   tomas@rasputin:~$ sudo ls
>   [sudo] password for tomas:
>   33c3              fr               letters [...]
> 
> Note that it asked me for a password. My password (not root). You can
> configure /etc/sudoers to *not* ask for a password, to do it only for
> certain commands and tons of other things (cf. man 5 sudoers). Sudo
> remembers whithin a session, and for a limited time (default is 15 minutes)
> the password given, so next command won't ask you, if you are quick enough.
> Can be changed in /etc/sudoers.

Just take a look at my sudoers (it is not secret)

---- snip ----

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/
bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

----snap ---

> You mean: the desktop edits /etc/sudoers? I have had many reasons to kick
> DEs out of my box many years ago, but this would be one reason more :-(
> 
> Are you sure?

Dunno. I mean more, the desdktop is changing settings.
> 
> it's not the default.
> 
> OK. Then obviously you have sudoers running, (1) your user (hans) is allowed
> sudo (most probably via its group) and (2) either you have a NOPASSWD
> policy, or (3) the credentials are cached from a previous successful sudo.
> If you opened your shell explicitly for this experiment, that would almost
> surely rule out (3).
> 
> That's funny, but hasn't to do with our current problem. Probably sudo, by
> stripping the environment, has dropped some vital environment variable
> (f. ex. http_proxy or something). Might be fixable by invoking "sudo -E",
> but let's forget about that for now, to not get side-tracked.
> 
> Heh. So we reach the same conclusion.
> 
> Never? Then removing (hans) from the sudo group seems to be the most
> "standard" way of achieving that.

> Now I'm confused. This contradicts the above. Perhaps you mean that the
> user has to *login as root*. Sudo has the possibility to ask the root
> password from the regular user instead of her own password (see the
> rootpw, targetpw and runaspw flags in the sudoers(5) man page for all
> the details).
> 
> Aha. But the user password is still necessary?

That is correct. The user has to enter his own password.
> 
> OK. Perhaps you just prefer the "classic" su behaviour and don't need
> sudo at all (still: I'd recommend getting used to sudo. I don't embrace
> every novelty, but this one was, after getting used, quite nice). But
> hey, it's your toolbox :)
> 
> So just de-installing sudo might be an option for you (make sure your
> package manager doesn't want to throw away half of your system -- I've
> no idea what packages depend on sudo).
> 
> regards
> -- tomás

Best 

Hans

Reply to:

Follow-Ups:
- Re: Security hole in LXDE?
  - From: <tomas@tuxteam.de>

References:
- Re: Security hole in LXDE?
  - From: Hans <hans.ullrich@loop.de>
- Re: Security hole in LXDE?
  - From: <tomas@tuxteam.de>

Prev by Date: Re: Security hole in LXDE?
Next by Date: Re: Security hole in LXDE?
Previous by thread: Re: Security hole in LXDE?
Next by thread: Re: Security hole in LXDE?
Index(es):
- Date
- Thread