Linux MintThis forum is for the discussion of Linux Mint.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
1) The 1st account is the only one in the sudo group
2) The 2nd account is a limited desktop user
3) The 3rd account is like #2
When accounts 2 or 3 are in use, one can click on something requiring root level privilege and get a prompt asking for the password of the 1st account, who is my only sudo member. Is it possible to stop that?
For example, pretend someone is in the 2nd account and clicks on Synaptic. That person would then have a prompt asking for the password of the 1st account, which is the sudo (Administrator) account. I don't want the 2nd and 3rd accounts on this system to even have the ability to input the sudo password, even if it is known.
Is it possible to create this restriction? If yes, then how?
Basically, I only want the 1st account to be able gain elevated privilege. I don't want the 2nd and 3rd accounts able to gain elevated privilege, even if those users know the proper password.
Other users should not have access to your password. That is a basic security practice. There should be no "even if it is known." It should not be known.
The first thing to do is to change the password for account number 1, the one with legitimate sudo privileges, and not reveal it to accounts 2 and 3. If the sudoers file is configured properly, that should take care of this issue.
With that set, even if they know your password, they can not log in as another user if they are not member of the sudo group. So, they will probably not be able to do anything even if they guess your password.
Quote:
Other users should not have access to your password. That is a basic security practice. There should be no "even if it is known." It should not be known.
Exactly. PAM serves just as another layer, to prevent others from "guessing" your password.
Let me clarify. Currently I am the only person using this system even though it has 3 accounts (administrator plus 2 regular users).
In the future, I would not expect any regular user to know my Administration (sudo) password. However, I noticed that the system asked for the Administration (sudo) password while I was testing the 2 regular user accounts. Those 2 regular user accounts are not in the sudo group. Only my 1st account (Administrator) is in the sudo group.
Are you folks saying that even if a regular user account gets an "Enter password for XYZ" message (Where XYZ is my only sudo group member) that the system would not accept the password, even if it is correct, because that regular user is not a sudo group member?
It's a shoddy mess that on the surface aims to provide a similar functionality as sudo, minus the flexibility and granularity. pkexec has no redeeming features as far as I can tell. It's rather lacking in all areas. I have no qualms about people trying new things or even revisiting old things in new ways, but I am adamant that they ought be a clear improvement before inclusion in a mainstream distro, but then the decision process these days seems bizarre to say the least.
Anyway, it's just a heads up that if your DE is ignoring your sudoers file, then you might have uncovered a pkexec backdoor. I haven't looked into how to disable it. The configuration documentation shows a convoluted disorganized tangle.
Not sure, do not use Mint Mate. But feel free to report it here: https://bugs.launchpad.net/linuxmint. Also, did you try to set /etc/pam.d/su as suggested?
Not sure, do not use Mint Mate. But feel free to report it here: https://bugs.launchpad.net/linuxmint. Also, did you try to set /etc/pam.d/su as suggested?
No, I haven't gotten that far yet. I want to search for other options before trying that.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.