[Bug 59946] Re: Admin tools require admin group membership

[Loïc Minier]

NB: The resolution of this bug caused bug #124993 as the gconf settings
are now read as root instead of as $user.

The long term fix is probably to move to PolicyKit.  Alternatively, if
it's not ready yet, it might be possible to switch group instead of
switching user, for example sg stb or gksg stb, but this isn't
supported by gksu yet.

-- 
Admin tools require admin group membership
https://bugs.launchpad.net/bugs/59946
You received this bug notification because you are a member of Ubuntu
Bugs, which is the bug contact for Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 59946] Re: Admin tools require admin group membership

[Martin Pitt]

Hi Floris,

Floris Kruisselbrink (vloris) [2007-03-08 22:46 -]:
 The gnome-system-tools have stopped working for me completely now in
 Feisty Fawn. I'm not sure since when, when it doesn't work, my first
 reaction is I can do this faster on commandline, so lets do so.

Can you please open a new bug about your problem? This bug is closed
and forgotten for a long time.

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Floris Kruisselbrink \(vloris\)]

The gnome-system-tools have stopped working for me completely now in
Feisty Fawn. I'm not sure since when, when it doesn't work, my first
reaction is I can do this faster on commandline, so lets do so.

Right now, all tools show start up nice, ask for a password, but then show an 
empty list (empty userlist, empty sharelist, empty services list, etc.)
When started from a terminal, it gives me this warning:

[EMAIL PROTECTED]:~$ gksu services-admin
(services-admin:17446): Liboobs-WARNING **: There was an unknown error 
communicating with the backends: Message did not receive a reply (timeout by 
message bus)

It starts up, but shows an empty services list

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Michael Vogt]

** Tags removed: verification-needed

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Martin Pitt]

Accepted into edgy-updates. Thanks for preparing!

** Changed in: xubuntu-system-tools (Ubuntu)
   Status: Confirmed = Fix Committed

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Martin Pitt]

Erm, of course I meant 'accepted into edgy-proposed'. Sorry for the
typo.

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Simon Law]

xubuntu-system-tools has been regression tested and it looks good.
x-s-t is approved for upload to edgy-updates.

Thanks!

** Tags added: verification-done

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Martin Pitt]

All packages uploaded to edgy-updates and accepted.

** Changed in: gnome-system-tools (Ubuntu Edgy)
   Status: Fix Committed = Fix Released

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Martin Pitt]

... including x-s-t.

** Changed in: xubuntu-system-tools (Ubuntu)
   Status: Fix Committed = Fix Released

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Simon Law]

gnome-system-tools, system-tools-backends, gnome-panel, gnome-applets,
and gnome-netstatus are approved for upload into edgy-updates.  They
have been regression tested to continue setting preferences while
requiring password authentication.

gnome-nettool has not been tested, so it will break in Edgy.  But Séb is
working on a separate SRU for that.

xubuntu-system-tools has also not been tested.

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Jani Monoses]

x-s-t has not yet been approved for proposed so it cannot be easily tested.
If the new system-tools-backends goes in edgy-updates it can break un-updated 
x-s-t, as is the case now for those xubuntu users who have ubuntu-proposed in 
their sources list.

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Colin Watson]

http://librarian.launchpad.net/5767658/d.diff approved for edgy-
proposed, but please mention this bug number in the changelog too. Also,
isn't there a debian/patches/00list file that needs to be edited to
include the crash fix from Sebastien, as there was for gnome-system-
tools?

After talking with Simon, this set of updates shouldn't go into edgy-
updates until xubuntu-system-tools is ready, but I'm willing to waive
the aging requirement as long as the Xubuntu guys have tested this
thoroughly. Simon says that he'll go and talk to you about the required
level of testing.

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Gauvain Pocentek]

I'm testing the patches, and will upload if it's OK.

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Jani Monoses]

Colin, thanks for approving. There's no 00list file as x-s-t uses CDBS so the 
patch being there does it. Gauvain, feel free to upload if the diff works for 
you, then please ping the xubuntu-devel list thread of two weeks ago so people 
complaining about the breakage
update and test again. Thanks.

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Gauvain Pocentek]

The patch works fine for me. I've added a reference to the bug number,
added the missing line in the changelog, and uploaded to edgy-proposed.

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Jani Monoses]

This adds the same patch to x-s-t as g-s-t has, dropping the nautilus
bits as they are not built for x-s-t. Also added the two small patches
from bug 69566 that fix crashers and are already in edgy-updates for
g-s-t.

** Attachment added: x-s-t patch
   http://librarian.launchpad.net/5767658/d.diff

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Jani Monoses]

** Also affects: xubuntu-system-tools (Ubuntu)
   Importance: Undecided
   Status: Unconfirmed

** Changed in: xubuntu-system-tools (Ubuntu)
   Status: Unconfirmed = Confirmed
   Target: None = edgy-updates

** Changed in: xubuntu-system-tools (Ubuntu)
   Importance: Undecided = High

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Colin Watson]

I've approved the second update to gnome-system-tools, uploaded by
Martin (http://librarian.launchpad.net/5593422/g-s-t.edgy-2.debdiff has
the diff).

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Jani Monoses]

this affects xubuntu-system-tools as well (it's still a separate source
package even if the same upstream tarball - Gauvain has a solution for
this), a corresponding debdiff and SRU will follow shortly as a separate
LP bug if required.

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 59946] Re: Admin tools require admin group membership

[Matt Zimmerman]

On Tue, Jan 09, 2007 at 11:49:07AM -, Jani Monoses wrote:
 this affects xubuntu-system-tools as well (it's still a separate source
 package even if the same upstream tarball - Gauvain has a solution for
 this), a corresponding debdiff and SRU will follow shortly as a separate
 LP bug if required.

Please use the same bug if an update is required; open a separate task on
this one.

-- 
 - mdz

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Colin Watson]

Martin: http://librarian.launchpad.net/5593422/g-s-t.edgy-2.debdiff is
OK for edgy-proposed.

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Colin Watson]

Sebastien: Yes, I would be inclined to fix gnome-nettool in edgy.
http://librarian.launchpad.net/5484068/05_gksu_for_network_admin.patch
is OK with some appropriate changelog entry.

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Martin Pitt]

Colin: Thanks for review, I uploaded the new gnome-system-tools
2.15.5-0ubuntu5~prop2.

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Martin Pitt]

I fixed bug 76055 in Feisty and prepared and tested the bug fix for
Edgy, attaching debdiff. Apart from calling shares-admin with gksu in
the nautilus plugin, this also requires to fix shares-admin itself for
root operation. Its initialization function indirectly connects to the
session dbus (thus it didn't appear in the initial grep) and thus needs
the same 'temporarily drop to SUDO_UID' patch as time-admin got.

OK to upload to -proposed?

** Attachment added: g-s-t debdiff for edgy-proposed followup
   http://librarian.launchpad.net/5593422/g-s-t.edgy-2.debdiff

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Sebastien Bacher]

bug #76055 has been opened about the edgy-proposed update, the shares-
admin feature for nautilus requite a patch to use gksu

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Sebastien Bacher]

fixed to feisty, I've patch gnome-nettool too, there was a similar bug
open on it

** Changed in: gnome-system-tools (Ubuntu)
   Status: Fix Committed = Fix Released

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Sebastien Bacher]

gnome-nettool was already lacking a change for that on dapper, that's
not a regression and we had only one bug about about it, not sure if we
want to backport the fixed to edgy

** Attachment added: patch for gnome-nettool
   http://librarian.launchpad.net/5484068/05_gksu_for_network_admin.patch

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Martin Pitt]

g-s-t and s-t-b are fixed in Feisty. Talked with Seb, he wants to apply
the remaining minor bits (panel, applets, netstatus) with the next round
of regular updates.

** Changed in: gnome-system-tools (Ubuntu)
 Assignee: Martin Pitt = Sebastien Bacher

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Colin Watson]

All fixes accepted into edgy-proposed. Please proceed to testing now.

** Changed in: gnome-system-tools (Ubuntu Edgy)
   Status: In Progress = Fix Committed

** Description changed:

  Binary package hint: gnome-system-tools
  
- On my edgy system, the tools bundled within gnome-system-tools can be 
launched without entering a password. Even by a user that shoult not be allowed 
to run it. Once launched, it still performs well, modifying the system without 
ANY check.
+ On my edgy system, the tools bundled within gnome-system-tools can be 
launched without entering a password. Even by a user that should not be allowed 
to run it. Once launched, it still performs well, modifying the system without 
ANY check.
  I am not sure that nothing is wrong with my system has it has been updated 
from dapper (from breezy).
  
  My /etc/sudoers looks like a default one :
  Defaults!lecture,tty_tickets,!fqdn
  rootALL=(ALL) ALL
  %admin  ALL=(ALL) ALL
  
  The binaries are not setuid, the UI run normally as a simple user.
  
  pitti: This should be fixed in Edgy, too, since it allows malicious
  programs (even things like a firefox plugin) to modify system settings.
  edgy-proposed debdiffs attached, explanations of patches are in comment
  41 and 42.

** Tags added: verification-needed

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Martin Pitt]

Updated s-t-b patch with an added conflicts to earlier system-tools that
didn't gksu.

** Attachment added: s-t-b debdiff for edgy-proposed
   http://librarian.launchpad.net/5404526/system-tools-backends.edgy.diff

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Martin Pitt]

Fixed memory leak, thank to Colin for spotting.

** Attachment added: gnome-applets debdiff for edgy-proposed
   http://librarian.launchpad.net/5395461/gnome-applets.edgy.diff

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Colin Watson]

All current patches from Martin approved for edgy-proposed.

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Martin Pitt]

Setting to 'in progress' to comply with SRU updating practice and
catching Colin's awareness.

** Changed in: gnome-system-tools (Ubuntu Edgy)
   Status: Fix Committed = In Progress

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Martin Pitt]

I have the fix ready for feisty, upload pending unfreezing the archive.

** Changed in: gnome-system-tools (Ubuntu)
 Assignee: Ubuntu Desktop Bugs = Martin Pitt
   Status: Confirmed = Fix Committed

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Martin Pitt]

** Changed in: gnome-system-tools (Ubuntu Edgy)
   Importance: Undecided = High
 Assignee: (unassigned) = Martin Pitt
   Status: Unconfirmed = In Progress

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Martin Pitt]

Patch for gnome-system-tools.

It changes all *.desktop files to execute the frontend through gksu, and
adds the 'X-KDE-SubstituteUID=true' flag, so that only administrators
will see the programs in the menu (this is what it looked like in
dapper).

The patch to time-tool is necessary because it connects to the user's
session dbus (no other g-s-t programs do), in order to poke the
screensaver to not start when changing the time. Since root does not
have a session bus when running though gksu, time-admin just hangs in
current edgy when run as root. The patch checks if time-admin runs as
root through sudo and temporarily drops the real uid to the user so that
dbus_bus_get (DBUS_BUS_SESSION, NULL) connects to the user's session
bus.

** Attachment added: g-s-t debdiff for edgy-proposed
   http://librarian.launchpad.net/5247795/gnome-system-tools.edgy.diff

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Martin Pitt]

Patch for gnome-system-tools.

It changes all *.desktop files to execute the frontend through gksu, and
adds the 'X-KDE-SubstituteUID=true' flag, so that only administrators
will see the programs in the menu (this is what it looked like in
dapper).

The patch to time-tool is necessary because it connects to the user's
session dbus (no other g-s-t programs do), in order to poke the
screensaver to not start when changing the time. Since root does not
have a session bus when running though gksu, time-admin just hangs in
current edgy when run as root. The patch checks if time-admin runs as
root through sudo and temporarily drops the real uid to the user so that
dbus_bus_get (DBUS_BUS_SESSION, NULL) connects to the user's session
bus.

** Attachment added: g-s-t debdiff for edgy-proposed
   http://librarian.launchpad.net/5247800/gnome-system-tools.edgy.diff

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Martin Pitt]

(Sorry for the previous double comment, LP timed out)

Patch for system-tools-backends.

This changes the s-t-b admin group from 'admin' to 'root', so that
/etc/dbus-1/system.d/system-tools-backends.conf does not allow access to
members of the admin group any more, i. e. it changes

  policy group=admin

to

  policy group=root


** Attachment added: s-t-b debdiff for edgy-proposed
   http://librarian.launchpad.net/5247805/system-tools-backends.edgy.diff

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Martin Pitt]

** Description changed:

  Binary package hint: gnome-system-tools
  
  On my edgy system, the tools bundled within gnome-system-tools can be 
launched without entering a password. Even by a user that shoult not be allowed 
to run it. Once launched, it still performs well, modifying the system without 
ANY check.
  I am not sure that nothing is wrong with my system has it has been updated 
from dapper (from breezy).
  
  My /etc/sudoers looks like a default one :
  Defaults!lecture,tty_tickets,!fqdn
  rootALL=(ALL) ALL
  %admin  ALL=(ALL) ALL
  
  The binaries are not setuid, the UI run normally as a simple user.
+ 
+ pitti: This should be fixed in Edgy, too, since it allows malicious
+ programs (even things like a firefox plugin) to modify system settings.
+ edgy-proposed debdiffs attached, explanations of patches are in comment
+ 41 and 42.

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Martin Pitt]

So it turned out that some more fixes are required in applets that call
one of the g-s-t tools. They have to be changed to run that tool through
gksudo.

First, clock-applet (from gnome-panel). The command string is fed
through g_shell_parse_argv(), thus the simple string change works.

This has been tested on edgy and feisty.

** Attachment added: gnome-panel debdiff for edgy-proposed
   http://librarian.launchpad.net/5248945/gnome-panel.edgy.diff

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Martin Pitt]

Next, modemlights in gnome-applets. Same approach, just here we need to
prepend 'gksu --' since network-admin is called with options, and gksu
must not process them.

** Attachment added: gnome-applets debdiff for edgy-proposed
   http://librarian.launchpad.net/5249210/gnome-applets.edgy.diff

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Martin Pitt]

And, last but not least, gnome-netstatus. Same old story, prepending
'gksu --' to the network-admin command callout.

** Attachment added: gnome-netstatus debdiff for edgy-proposed
   http://librarian.launchpad.net/5250750/gnome-netstatus.edgy.diff

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Sebastien Bacher]

I've discussed that with Martin on IRC during the week, that seems the
best way to me too and the patches look good

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Kurt]

Many people running ubuntu work with only one user (which is in the
administrator's group) - and this is also the default.

Considering this, it is really a great security risk that the admin
tools do not check the password because if the admin user gets
compromised, one can easily add a new user, log in as this one and do
everything.

This should be fixed as soon as possible. I know that edgy is not
considered as stable as dapper, but it is considered stable. Many people
are not aware that edgy does not have the same stability and that the
edgy release does probably have more security holes than dapper.

Maybe it might be the time for a discussion if a third branch between
the unstable and the stable one, probably something like testing in
Debian, might be useful to prevent the users who want a really stable
and secure system from using the releases like edgy because at this
point edgy can really not be considerated stabe and secure.

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 59946] Re: Admin tools require admin group membership

[Sebastien Bacher]

Le mercredi 29 novembre 2006 à 20:19 +, Kurt a écrit :

 Considering this, it is really a great security risk that the admin
 tools do not check the password because if the admin user gets
 compromised, one can easily add a new user, log in as this one and do
 everything.

The admin user already has to be compromised. And if that happen
gnome-system-tools will probably not be the only problem you will have
then

 This should be fixed as soon as possible. I know that edgy is not
 considered as stable as dapper, but it is considered stable. Many people
 are not aware that edgy does not have the same stability and that the
 edgy release does probably have more security holes than dapper.

edgy is not a LTS but it's rather stable too

 Maybe it might be the time for a discussion if a third branch between
 the unstable and the stable one, probably something like testing in
 Debian, might be useful to prevent the users who want a really stable
 and secure system from using the releases like edgy because at this
 point edgy can really not be considerated stabe and secure.

Are you making that from that only bug? Adding complexity to the system
will not prevent bugs to happen. All the versions of Ubuntu are meant to
be stable and secure and I don't think that calling edgy unsecure is a
fair statement. Using those tools require to be logged with an user from
the admin group. Right asking for the password again is better, if
somebody can connect with your admin user you already a problem though

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 59946] Re: Admin tools require admin group membership

[Matt Zimmerman]

On Wed, Nov 29, 2006 at 10:14:46PM -, Sebastien Bacher wrote:
 Are you making that from that only bug? Adding complexity to the system
 will not prevent bugs to happen. All the versions of Ubuntu are meant to
 be stable and secure and I don't think that calling edgy unsecure is a
 fair statement. Using those tools require to be logged with an user from
 the admin group. Right asking for the password again is better, if
 somebody can connect with your admin user you already a problem though

Verifying the user's identity with password authentication is an important
safeguard; we explicitly do not use NOPASSWD in sudoers for this reason, and
the lack of a check in Edgy is a regression.  The security team are
discussing potential ways to address this.

-- 
 - mdz

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Kurt]

Sebastien Bacher wrote:

Are you making that from that only bug? Adding complexity to the system
will not prevent bugs to happen. All the versions of Ubuntu are meant to
be stable and secure and I don't think that calling edgy unsecure is a
fair statement. Using those tools require to be logged with an user from
the admin group. Right asking for the password again is better, if
somebody can connect with your admin user you already a problem though



The philosophy of ubuntu (as I have understood it) is that you can use,
when you're a single user, the first user (which is an administrator)
for your daily work because at every change of the system you must enter
your password. Shurely it is much saver to use, in any case, a
unprivileged user for your daily work, but very few desktop user do it
because it is not very comfortable (e. g. you must change user if you
want to make installations; the notification of updates only shows up if
you're loged in as an administrator).

The problem of that bug are, in my opinion, other bugs which led to the
execution of code with the rights of the user.

Finally I do not considerate edgy completely unsecure or unstable; I
just considerate it not as stable as dapper.

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Christian Niemeyer]

For me the error occured when I wanted to disable some services via
services-admin. Accidentally I unchecked dbus. And since there was the
problem.

Fix:
Run Synaptic (should still work)
Re-Install following packages:
-gnome-system-tools
-system-tools-backend
-dbus
-libdbus-1-3
(or simply all packages in which names occur dbus, don't know exactly, so I 
did)

Now try to run services-admin again and check that dbus there is
enabled. Maybe Re-Login or Reboot is needed.

Hope this was helpful
Regards,
Chris

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Christian Niemeyer]

Sorry forgot something:

Now after Rebooting I experienced, that e.g. services-admin starts without 
asking permissions. Then you need to run alacarte menu editor and check the 
section System Administration and put gksu before these commands:
gksu gdmsetup
gksu users-admin
gksu time-admin
gksu services-admin
gksu network-admin

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Tom Verdaat]

Instructions by Justin Dugger solved my problem. I guess some kind of
check script should be pushed as an update of some sort, to make sure
this is solved on all systems.

Not that this matters in my case, I need to completely re-install Ubuntu
because of all the upgrade issues :(

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Affi]

After upgrade I was bitten by https://launchpad.net/bugs/69145 as I
initially installed Breezy, in March. I have now fixed the problem by
adding admin by hand, but what does admin signify that adm does
not?  My /etc/sudoers has adm and I was (and am) a member of adm,
but that was apparantly not enough for the new architecture.

-Affi

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Matt Zimmerman]

** Summary changed:

- run action as root without prompting for a password
+ Admin tools require admin group membership

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Aaron C. de Bruyn]

Darn.  I thought I had rebooted the box.  It's working now.

So apparently this is caused by an earlier version of Ubuntu (say
Dapper?) and when upgrading to Edgy the admin group isn't created?

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 59946] Re: Admin tools require admin group membership

[Sebastien Bacher]

Le mardi 31 octobre 2006 à 16:23 +, Aaron C. de Bruyn a écrit :
 Darn.  I thought I had rebooted the box.  It's working now.
 
 So apparently this is caused by an earlier version of Ubuntu (say
 Dapper?) and when upgrading to Edgy the admin group isn't created?

that's happening for people who installed warty and are dist-upgrading
since that

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Tom Verdaat]

Breezy - Dapper - Edgy

Rebooted several times. Still not solved.

Maybe this helps. The username I'm using is 'tom' which was created
during the breezy installation. This user is in the following groups:

$ cat /etc/group |grep tom
adm:x:4:tom
dialout:x:20:tom,cupsys
cdrom:x:24:tom,hal,haldaemon
floppy:x:25:tom,hal,haldaemon
audio:x:29:tom
dip:x:30:tom
video:x:44:tom
plugdev:x:46:tom,hal,haldaemon
tom:x:1000:
lpadmin:x:104:tom
scanner:x:105:tom,cupsys,hplip

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 59946] Re: Admin tools require admin group membership

[Justin Dugger]

Tom,
Clearly the upgrade didn't add user tom to the admin group, or possibly even 
create one.  

Workaround: 
1. run gksudo users-admin
2. Click manage groups
3. Click add Group
4. Put admin as the name of the group, and put whatever users you want to 
allow to change system wide settings such as networking.
5. Close the users-admin program and reboot.

But thank you for clarifying that this persists from at original
installs of breezy, possibly dapper installs.

-- 
Admin tools require admin group membership
https://launchpad.net/bugs/59946

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs