[Touch-packages] [Bug 1643931] Re: Security problem with Super User Authorization

Fri, 25 Nov 2016 07:46:29 -0800 

Thank you so much for the help.
Now everything work.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to policykit-1 in Ubuntu.
https://bugs.launchpad.net/bugs/1643931

Title:
  Security problem with Super User Authorization

Status in policykit-1 package in Ubuntu:
  Invalid

Bug description:
  luca@pc-sala:~$ lsb_release -rd
  Description:  Ubuntu 16.04.1 LTS
  Release:      16.04
  luca@pc-sala:~$ 

  luca@pc-sala:~$ apt-cache policy sudo
  sudo:
    Instalados: 1.8.16-0ubuntu1.2
    Candidato:  1.8.16-0ubuntu1.2
    Tabla de versiĆ³n:
   *** 1.8.16-0ubuntu1.2 500
          500 http://pe.archive.ubuntu.com/ubuntu xenial-updates/main amd64 
Packages
          100 /var/lib/dpkg/status
       1.8.16-0ubuntu1 500
          500 http://pe.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
          500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
  luca@pc-sala:~$ 

  On my system I have 3 accounts (me, my wife and my son), My account is the 
only that can use SUDO, the others are desktop users.
  I need to limit the access to my son (5 years old), so I had to put the 
password to my login, but my password was very strong: large and complicate. 
Otherwise I need to use sometimes SUDO (truecrypt, rsync with other devices, 
etc.).
  In order to simplify my login and keep the ability to use SUDO I activated 
the "targetpw" flag in sudoers, so now my login password is quite easy and ROOT 
account has the strong password.
  It works, programs like synaptic, sudo, gksu and others accept the root 
password, but I found a very very strange behaviours in some programs, for 
example:

  a) users-admin
  b) gnome-language-selector
  c) lightdm-gtk-greeter-settings-pkexec

  Those programs perform admin tasks and I suppose that when they ask for the 
password authorization they need the root password.
  No! They want my personal account password, the root password is not accepted.

  I think that this is not right, because my system now has a security
  weakness, and I don't know how many other programs have the same
  behaviour. This could be a serious security breach.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1643931/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to