Thanks for taking the time to report your issue. In this case, the tools
you're highlighting do not use sudo, but instead use policykit-1 to
verify privileges. In order to require the root password instead of your
user's password to operate those utilities, you'll need to modify your
policykit configuration to do so. Specifically, you'll need to override
the configuration in /etc/polkit-1/localauthority.conf.d/51-ubuntu-
admin.conf ; you can do this by creating a conf file that begins with a
higher number in /etc/polkit-1/localauthority.conf.d/ (e.g. 60-local-
admin.conf). Copying the contents of
/etc/polkit-1/localauthority.conf.d/50-localauthority.conf into it
(specifically setting 'AdminIdentities=unix-user:0') will cause
policykit to require the root password when authenticating for
administrative privileges.
You can verify this by using pkexec as well as the other tools you
listed above; e.g. "pkexec date" should require the root password after
changing your configuration.
And of course, you'll want to be careful making changes to your
policykit configuration, as you could be creating a security exposure
for yourself.
** Package changed: sudo (Ubuntu) => policykit-1 (Ubuntu)
** Changed in: policykit-1 (Ubuntu)
Status: New => Invalid
** Information type changed from Private Security to Public
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to policykit-1 in Ubuntu.
https://bugs.launchpad.net/bugs/1643931
Title:
Security problem with Super User Authorization
Status in policykit-1 package in Ubuntu:
Invalid
Bug description:
luca@pc-sala:~$ lsb_release -rd
Description: Ubuntu 16.04.1 LTS
Release: 16.04
luca@pc-sala:~$
luca@pc-sala:~$ apt-cache policy sudo
sudo:
Instalados: 1.8.16-0ubuntu1.2
Candidato: 1.8.16-0ubuntu1.2
Tabla de versiĆ³n:
*** 1.8.16-0ubuntu1.2 500
500 http://pe.archive.ubuntu.com/ubuntu xenial-updates/main amd64
Packages
100 /var/lib/dpkg/status
1.8.16-0ubuntu1 500
500 http://pe.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
luca@pc-sala:~$
On my system I have 3 accounts (me, my wife and my son), My account is the
only that can use SUDO, the others are desktop users.
I need to limit the access to my son (5 years old), so I had to put the
password to my login, but my password was very strong: large and complicate.
Otherwise I need to use sometimes SUDO (truecrypt, rsync with other devices,
etc.).
In order to simplify my login and keep the ability to use SUDO I activated
the "targetpw" flag in sudoers, so now my login password is quite easy and ROOT
account has the strong password.
It works, programs like synaptic, sudo, gksu and others accept the root
password, but I found a very very strange behaviours in some programs, for
example:
a) users-admin
b) gnome-language-selector
c) lightdm-gtk-greeter-settings-pkexec
Those programs perform admin tasks and I suppose that when they ask for the
password authorization they need the root password.
No! They want my personal account password, the root password is not accepted.
I think that this is not right, because my system now has a security
weakness, and I don't know how many other programs have the same
behaviour. This could be a serious security breach.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1643931/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
