Re: Security hole in LXDE?
Hi Tomas
> Hm. I'm not sure I've got that one right. Who has allowed the standard
> user to execute applications with root rights? How?
It was me, beeing haven asked by of the root password and (of course) gave the
correct one, I allowed the user, to start applications with root rights
(besides, I am the user and root, as i is my personal computer)
>
> > I also found out, that the user is in group "sudo", but got no entry in
> > /etc/ sudoers.
>
> Again: who "got no entry in /etc/sudoers"? The user in question? Or the
> group "sudo"?
It is the user, whom I allowed, to the above.
> > Seems so. I'm still confused: I don't know whether the desktop environment
> is the one granting you root privileges (I can't help with that; I don't
> "do" desktop environments) or whether it is sudo (or whether it is the
> DE based on the sudo settings).
No, no, the desktop just edits the settings, after a correct given root
password, to start the special applications with root right sin future times.
>
> The sudo part is pretty easy to find out (no clickety way, sorry). Try,
> in a shell those two things:
>
> sudo ls
>
Gives the same als "ls".
> sudo synaptic
sudo synaptic
sudo: Hostname protheus1 kann nicht aufgelöst werden
No protocol specified
Unable to init server: Verbindung ist gescheitert:Verbindungsaufbau abgelehnt
(synaptic:25373): Gtk-WARNING **: cannot open display: :0
>
> What happens in each case? Do you get a password prompt? Is synaptic
> started in user mode or in root mode?
>
No, as it is not root's environment, but the users one. However, su -p does
the trick.
> > So, my question: How can I get this all back. A graphical solution is
> > preferred, of course I knnow, I can edit /etc/groups and other things
> > manually. But if there is a "clicky"-way, this will be preferred.
>
> Be careful when editing /etc/groups. There are things for that like
> adduser and addgroup. To remove your user from group sudo:
>
> sudo deluser <username> sudo
>
> Whether that helps or not depends on all of the above, of course :-)
>
> But **first of all** you've got to get clear on what you want:
>
> - shall the regular user not be able to call synaptic in
> "root mode" _at all_?
>
The user shall not be able to start any application of with root rights.
> - yes, but only after entering root password?
>
Exactly.
> - yes, but only after entering her password?
>
No, this is the actual situation.
> regards
> -- tomás
Best
Hans
Reply to: