> OK, to recap: you started synaptics (as regular user), and for the first > time you were asked a password. You gave the root (not the user's) > password, and from then on you could start synaptics as a regular user > without having to enter a password. Is that right? >
Correct. Howver, this is an implemented option, to allow normal users to start applications with root rights. Note: Root has to allow this! > - there is a file /etc/sudoers > - the "user" (let's call him "hans") has *no* entry in /etc/sudoers > > Is that right? > Correct. The user "hans" has no entry in /etc/sudoers. Note, that the user hans is in group "sudo". groups hans lp uucp dialout cdrom floppy sudo audio dip video plugdev games users powerdev debian-tor netdev scanner wireshark kismet > That would be a typical setup (on my box it is exactly like that). The > group sudo is in the /etc/sudoers, and you give users sudo powers by > adding them to the sudo group. Typically things are set up in a way > that the user has still to enter *her* password. You can easily check > which groups a user is in with the "groups" command. In my box: > > tomas@rasputin:~$ groups tomas > tomas : tomas cdrom floppy sudo audio dip video plugdev scanner netdev > bluetooth kvm > > With this setup (and supposed /etc/sudoers has this: > > # Allow members of group sudo to execute any command > %sudo ALL=(ALL:ALL) ALL > > I can use sudo like so: > > tomas@rasputin:~$ sudo ls > [sudo] password for tomas: > 33c3 fr letters [...] > > Note that it asked me for a password. My password (not root). You can > configure /etc/sudoers to *not* ask for a password, to do it only for > certain commands and tons of other things (cf. man 5 sudoers). Sudo > remembers whithin a session, and for a limited time (default is 15 minutes) > the password given, so next command won't ask you, if you are quick enough. > Can be changed in /etc/sudoers. Just take a look at my sudoers (it is not secret) ---- snip ---- # # This file MUST be edited with the 'visudo' command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/ bin:/sbin:/bin" # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL:ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on "#include" directives: #includedir /etc/sudoers.d ----snap --- > You mean: the desktop edits /etc/sudoers? I have had many reasons to kick > DEs out of my box many years ago, but this would be one reason more :-( > > Are you sure? Dunno. I mean more, the desdktop is changing settings. > > it's not the default. > > OK. Then obviously you have sudoers running, (1) your user (hans) is allowed > sudo (most probably via its group) and (2) either you have a NOPASSWD > policy, or (3) the credentials are cached from a previous successful sudo. > If you opened your shell explicitly for this experiment, that would almost > surely rule out (3). > > That's funny, but hasn't to do with our current problem. Probably sudo, by > stripping the environment, has dropped some vital environment variable > (f. ex. http_proxy or something). Might be fixable by invoking "sudo -E", > but let's forget about that for now, to not get side-tracked. > > Heh. So we reach the same conclusion. > > Never? Then removing (hans) from the sudo group seems to be the most > "standard" way of achieving that. > Now I'm confused. This contradicts the above. Perhaps you mean that the > user has to *login as root*. Sudo has the possibility to ask the root > password from the regular user instead of her own password (see the > rootpw, targetpw and runaspw flags in the sudoers(5) man page for all > the details). > > Aha. But the user password is still necessary? That is correct. The user has to enter his own password. > > OK. Perhaps you just prefer the "classic" su behaviour and don't need > sudo at all (still: I'd recommend getting used to sudo. I don't embrace > every novelty, but this one was, after getting used, quite nice). But > hey, it's your toolbox :) > > So just de-installing sudo might be an option for you (make sure your > package manager doesn't want to throw away half of your system -- I've > no idea what packages depend on sudo). > > regards > -- tomás Best Hans