Re: [SOLVED] Re: Security hole in LXDE?
On Tue 07 Mar 2017 at 09:05:03 +0100, to...@tuxteam.de wrote: > On Mon, Mar 06, 2017 at 08:53:39PM +, Brian wrote: > > [...] > > > I'll reconstruct my previous response. If there is no root password, > > (a bad idea, see my other post) > > > sudo is installed and the "first user" is put into the sudo group. > > I've no proof for that, but yes, that corresponds to my experience > (in a somewhat fuzzy, mushy sense). Obtain the proof, then. I'll mention the user-setup-udeb package again. -- Brian.
Re: [SOLVED] Re: Security hole in LXDE?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, Mar 06, 2017 at 08:53:39PM +, Brian wrote: [...] > I'll reconstruct my previous response. If there is no root password, (a bad idea, see my other post) > sudo is installed and the "first user" is put into the sudo group. I've no proof for that, but yes, that corresponds to my experience (in a somewhat fuzzy, mushy sense). Regards - -- tomás -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAli+aa8ACgkQBcgs9XrR2kbv4ACff9GeeScZgZHryA6FtYQzInnz gQUAn0Mjt3YsQ6dcnuSPspmTtc+I5xaR =mZT6 -END PGP SIGNATURE-
Re: [SOLVED] Re: Security hole in LXDE?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, Mar 06, 2017 at 08:58:25PM +, Joe wrote: [...] > A member of the sudo group has permanent root privileges. He might as > well simply login as root every day, and not bother with another user. Sorry, I've to disagree. It's a question of ergonomics. To some people (may be not for you, and that's fine) it does make a difference to have to invoke sudo and being prompted for a password (e.g. raise the level of awareness, notice when an obscure app is trying to gain privileges, whatever). I switched from a su oriented setup to a sudo oriented setup many moons ago and the ergonomy WorksForMe. Stating things in as an absolute way as you did above is almost always wrong. Or: All generalizations suck ;-) > My understanding of the use of the sudo group was for multiple server > admins, not workstation users. Why that? My only beef with the general exodus to sudo is that some (I think the first was Ubuntu) thought you could do away with root password. Until... you are in front of a box where the root file system check failed and it prompts you for the root password for rescue. Sudo? HAH. Again: all absolutes are wrong, as I said :-) regards - -- t -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAli+aS8ACgkQBcgs9XrR2kbCEgCdFZOKtyuroWvHTKgJc1VZVNk6 sf0AnRpLBaAfOQGFbRkwJkTvo4ryBaC7 =BeJ3 -END PGP SIGNATURE-
Re: [SOLVED] Re: Security hole in LXDE?
On Mon, 6 Mar 2017 20:47:50 + (UTC) Curt wrote: > On 2017-03-06, Joe wrote: > > > > Who said anything about lpadmin? The question is about the wisdom of > > automatically including someone in the sudo group, which in a > > default Debian sudoers file, gives full root privileges to > > everything, using the user's password. > > > > We have someone saying this happens, someone else saying it > > doesn't, I don't know as I haven't done a recent installation, and > > the thread was started by someone who says it did happen to him. > > > > I've only used the installer up to and including Wheezy and have > always created a root password. But if I hadn't (created a root > password) then I suppose I would've been included in the sudo group > with full administrative privileges. If not, how would or does the > person installing the OS (who is therefore, ipso facto, IMO, the > administrator of the machine) do anything administratively? And what > difference would it make security-wise to put the "first user" in the > sudo group when she or he could have gotten there anyway by simply > creating a root password and foregoing sudo altogether? Or am being > stupid here, missing something obvious? > A member of the sudo group has permanent root privileges. He might as well simply login as root every day, and not bother with another user. My understanding of the use of the sudo group was for multiple server admins, not workstation users. -- Joe
Re: [SOLVED] Re: Security hole in LXDE?
On Mon 06 Mar 2017 at 19:57:25 +, Joe wrote: > On Mon, 6 Mar 2017 19:36:40 + > Brian wrote: > > > On Mon 06 Mar 2017 at 18:59:18 +, Joe wrote: > > > > > On Mon, 6 Mar 2017 13:40:45 -0500 > > > Greg Wooledge wrote: > > > > > > > On Mon, Mar 06, 2017 at 06:31:46PM +, Joe wrote: > > > > > Debian appears to use the group 'sudo' as an administrative > > > > > group, where some other distributions use 'wheel'. > > > > > > > > > > I would not have thought that users would be added to it by > > > > > default, there are no members on my sid/xfce4 workstation. > > > > > Indeed, up to Jessie, sudo was not installed at all by default, > > > > > and may still not be. > > > > > > > > If you use the regular Debian installer, the user account that you > > > > create during installation gets added to a lot of these special > > > > groups (sudo, cdrom, floppy, audio, video, ...?). Users that you > > > > create post-installtion using adduser or useradd do not. > > > > > > > > > > New behaviour, then, my current sid was installed as wheezy, I added > > > sudo manually early on, but as it was not installed by default, it > > > would not have added the installing user to a sudo group. I'm > > > certainly not a member of that group, and have no wish to be. > > > > The "first user" is not in the sudo group. The place to check this > > is the templates file in the user-setup-udeb package. > > > > > Possibly I'm missing something, but doesn't this repeat the Windows > > > mistake of automatically giving the user admin privileges? Isn't > > > that the main reason for the existence of so many Windows viruses? > > > > Look at it this way. The "first user" wishes to set up a printer. Is > > it better for the user to be granted very limited privileges by being > > in the lpadmin group or to become root to carry out the task? > > > > Who said anything about lpadmin? The question is about the wisdom of > automatically including someone in the sudo group, which in a default > Debian sudoers file, gives full root privileges to everything, using the > user's password. > > We have someone saying this happens, someone else saying it doesn't, I > don't know as I haven't done a recent installation, and the thread was > started by someone who says it did happen to him. I'll reconstruct my previous response. If there is no root password, sudo is installed and the "first user" is put into the sudo group. -- Brian.
Re: [SOLVED] Re: Security hole in LXDE?
On 2017-03-06, Joe wrote: > > Who said anything about lpadmin? The question is about the wisdom of > automatically including someone in the sudo group, which in a default > Debian sudoers file, gives full root privileges to everything, using the > user's password. > > We have someone saying this happens, someone else saying it doesn't, I > don't know as I haven't done a recent installation, and the thread was > started by someone who says it did happen to him. > I've only used the installer up to and including Wheezy and have always created a root password. But if I hadn't (created a root password) then I suppose I would've been included in the sudo group with full administrative privileges. If not, how would or does the person installing the OS (who is therefore, ipso facto, IMO, the administrator of the machine) do anything administratively? And what difference would it make security-wise to put the "first user" in the sudo group when she or he could have gotten there anyway by simply creating a root password and foregoing sudo altogether? Or am being stupid here, missing something obvious? -- "It might be a vision--of a shell, of a wheelbarrow, of a fairy kingdom on the far side of the hedge; or it might be the glory of speed; no one knew." --Mrs. Ramsay, speculating on why her little daughter might be dashing about, in "To the Lighthouse," by Virginia Woolf.
Re: [SOLVED] Re: Security hole in LXDE?
On Mon, 6 Mar 2017 19:36:40 + Brian wrote: > On Mon 06 Mar 2017 at 18:59:18 +, Joe wrote: > > > On Mon, 6 Mar 2017 13:40:45 -0500 > > Greg Wooledge wrote: > > > > > On Mon, Mar 06, 2017 at 06:31:46PM +, Joe wrote: > > > > Debian appears to use the group 'sudo' as an administrative > > > > group, where some other distributions use 'wheel'. > > > > > > > > I would not have thought that users would be added to it by > > > > default, there are no members on my sid/xfce4 workstation. > > > > Indeed, up to Jessie, sudo was not installed at all by default, > > > > and may still not be. > > > > > > If you use the regular Debian installer, the user account that you > > > create during installation gets added to a lot of these special > > > groups (sudo, cdrom, floppy, audio, video, ...?). Users that you > > > create post-installtion using adduser or useradd do not. > > > > > > > New behaviour, then, my current sid was installed as wheezy, I added > > sudo manually early on, but as it was not installed by default, it > > would not have added the installing user to a sudo group. I'm > > certainly not a member of that group, and have no wish to be. > > The "first user" is not in the sudo group. The place to check this > is the templates file in the user-setup-udeb package. > > > Possibly I'm missing something, but doesn't this repeat the Windows > > mistake of automatically giving the user admin privileges? Isn't > > that the main reason for the existence of so many Windows viruses? > > Look at it this way. The "first user" wishes to set up a printer. Is > it better for the user to be granted very limited privileges by being > in the lpadmin group or to become root to carry out the task? > Who said anything about lpadmin? The question is about the wisdom of automatically including someone in the sudo group, which in a default Debian sudoers file, gives full root privileges to everything, using the user's password. We have someone saying this happens, someone else saying it doesn't, I don't know as I haven't done a recent installation, and the thread was started by someone who says it did happen to him. -- Joe
Re: [SOLVED] Re: Security hole in LXDE?
Greg Wooledge: > On Mon, Mar 06, 2017 at 06:31:46PM +, Joe wrote: >> Debian appears to use the group 'sudo' as an administrative group, >> where some other distributions use 'wheel'. >> >> I would not have thought that users would be added to it by default, >> there are no members on my sid/xfce4 workstation. Indeed, up to Jessie, >> sudo was not installed at all by default, and may still not be. > > If you use the regular Debian installer, the user account that you > create during installation gets added to a lot of these special groups > (sudo, cdrom, floppy, audio, video, ...?). Users that you create > post-installtion using adduser or useradd do not. On an Debian-lxde installer you are asked for a root pass and then a username/pass As I remember before you manually add a user in the user group the sudo command results to error. Before I figured it out I had to use su instead and any admin-package required user:root and pass to run. After adding a user in the sudo list all such packages ask for the user's pass. I think it is a sensible policy. -- "The most violent element in society is ignorance" rEG
Re: [SOLVED] Re: Security hole in LXDE?
On Mon 06 Mar 2017 at 18:59:18 +, Joe wrote: > On Mon, 6 Mar 2017 13:40:45 -0500 > Greg Wooledge wrote: > > > On Mon, Mar 06, 2017 at 06:31:46PM +, Joe wrote: > > > Debian appears to use the group 'sudo' as an administrative group, > > > where some other distributions use 'wheel'. > > > > > > I would not have thought that users would be added to it by default, > > > there are no members on my sid/xfce4 workstation. Indeed, up to > > > Jessie, sudo was not installed at all by default, and may still not > > > be. > > > > If you use the regular Debian installer, the user account that you > > create during installation gets added to a lot of these special groups > > (sudo, cdrom, floppy, audio, video, ...?). Users that you create > > post-installtion using adduser or useradd do not. > > > > New behaviour, then, my current sid was installed as wheezy, I added > sudo manually early on, but as it was not installed by default, it > would not have added the installing user to a sudo group. I'm certainly > not a member of that group, and have no wish to be. The "first user" is not in the sudo group. The place to check this is the templates file in the user-setup-udeb package. > Possibly I'm missing something, but doesn't this repeat the Windows > mistake of automatically giving the user admin privileges? Isn't that > the main reason for the existence of so many Windows viruses? Look at it this way. The "first user" wishes to set up a printer. Is it better for the user to be granted very limited privileges by being in the lpadmin group or to become root to carry out the task? -- Brian.
Re: [SOLVED] Re: Security hole in LXDE?
On Mon, 6 Mar 2017 13:40:45 -0500 Greg Wooledge wrote: > On Mon, Mar 06, 2017 at 06:31:46PM +, Joe wrote: > > Debian appears to use the group 'sudo' as an administrative group, > > where some other distributions use 'wheel'. > > > > I would not have thought that users would be added to it by default, > > there are no members on my sid/xfce4 workstation. Indeed, up to > > Jessie, sudo was not installed at all by default, and may still not > > be. > > If you use the regular Debian installer, the user account that you > create during installation gets added to a lot of these special groups > (sudo, cdrom, floppy, audio, video, ...?). Users that you create > post-installtion using adduser or useradd do not. > New behaviour, then, my current sid was installed as wheezy, I added sudo manually early on, but as it was not installed by default, it would not have added the installing user to a sudo group. I'm certainly not a member of that group, and have no wish to be. Possibly I'm missing something, but doesn't this repeat the Windows mistake of automatically giving the user admin privileges? Isn't that the main reason for the existence of so many Windows viruses? -- Joe
Re: [SOLVED] Re: Security hole in LXDE?
On Mon, Mar 06, 2017 at 06:31:46PM +, Joe wrote: > Debian appears to use the group 'sudo' as an administrative group, > where some other distributions use 'wheel'. > > I would not have thought that users would be added to it by default, > there are no members on my sid/xfce4 workstation. Indeed, up to Jessie, > sudo was not installed at all by default, and may still not be. If you use the regular Debian installer, the user account that you create during installation gets added to a lot of these special groups (sudo, cdrom, floppy, audio, video, ...?). Users that you create post-installtion using adduser or useradd do not.
Re: [SOLVED] Re: Security hole in LXDE?
On Mon, 06 Mar 2017 18:28:25 +0100 Hans wrote: > Closing my first report. When I deleted the user from the group > "sudo", everything worked back as normal. > > Debian appears to use the group 'sudo' as an administrative group, where some other distributions use 'wheel'. I would not have thought that users would be added to it by default, there are no members on my sid/xfce4 workstation. Indeed, up to Jessie, sudo was not installed at all by default, and may still not be. -- Joe
[SOLVED] Re: Security hole in LXDE?
Closing my first report. When I deleted the user from the group "sudo", everything worked back as normal. However, IMO the user must additionally be in /et/suders to get the described behaviour working. What is sure: Either KDE or LXDE gave me the opportunity (by using the root password), to remember the passsword and let users execute applications (like synaptic) s root. I am glad, to find the reason at h eend. There is nothing more annoying, than not to kow, what is going on. Thank you all for your help and your thoughts abut this problem! I love the community! Best regards Hans