Page 1 of 3 123 LastLast
Results 1 to 10 of 26

Thread: Guest Account is able to authenticate as root. Help!

  1. #1
    Join Date
    Mar 2011
    Location
    A land far, far, away...
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Exclamation Guest Account is able to authenticate as root. Help!

    I am trying to use a guest account in Ubuntu 10.10 however I am unable to stop the guest account from authenticating as a superuser and gaining root permissions dispite removing all permissions from the user-group control panel. The new guest account I created is not part of the admin group. However, with my new guest account I am unable to start a guest session from the panel, AND if I use the guest session from the panel I dont have the problem with the guest session being able to authenticate. How do I prevent super user authentication from an account in this situation? It seems that any account can authenticate and my /etc/sudoers file looks like this:

    # /etc/sudoers
    #
    # This file MUST be edited with the 'visudo' command as root.
    #
    # See the man page for details on how to write a sudoers file.
    #

    Defaults env_reset

    # Host alias specification

    # User alias specification

    # Cmnd alias specification

    # User privilege specification
    root ALL=(ALL) ALL

    # Allow members of group sudo to execute any command
    # (Note that later entries override this, so you might need to move
    # it further down)
    %sudo ALL=(ALL) ALL
    #
    #includedir /etc/sudoers.d

    # Members of the admin group may gain root privileges
    %admin ALL=(ALL) ALL

  2. #2
    Join Date
    Apr 2011
    Beans
    485

    Re: Guest Account is able to authenticate as root. Help!

    Have you tried removing the guest account from the sudo group as well?

    EDIT: Actually, I have no idea what I'm talking about, consider this a free bump.
    Last edited by Thewhistlingwind; June 25th, 2011 at 10:40 PM.
    Life is an extraordinarily long concatenation of luck and coincidence.

  3. #3
    Join Date
    May 2008
    Location
    SoCal
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Guest Account is able to authenticate as root. Help!

    Quote Originally Posted by ahears View Post
    I am trying to use a guest account in Ubuntu 10.10 however I am unable to stop the guest account from authenticating as a superuser and gaining root permissions dispite removing all permissions from the user-group control panel.
    How did you create this guest account? How do you know it is authenticated as root? Root is the only super user. No other account can authenticate as root. Other accounts can temporarily run commands with root privileges ( a loose description of what really happens) using sudo.

    What is the user name for this account? AFAIK the only accounts on a Linux host are root, system users (such as cdrom) or mortal users (humans).

    The new guest account I created is not part of the admin group. However, with my new guest account I am unable to start a guest session from the panel, AND if I use the guest session from the panel I dont have the problem with the guest session being able to authenticate.
    I'm lost here, not sure what you are saying. What do you mean by guest session?
    How do I prevent super user authentication from an account in this situation? It seems that any account can authenticate
    Once again; can you describe what you mean? What unexpected results are happening?

    and my

    /etc/sudoers file looks like this:

    # /etc/sudoers
    #
    # This file MUST be edited with the 'visudo' command as root.
    #
    # See the man page for details on how to write a sudoers file.
    #

    Defaults env_reset

    # Host alias specification

    # User alias specification

    # Cmnd alias specification

    # User privilege specification
    root ALL=(ALL) ALL

    # Allow members of group sudo to execute any command
    # (Note that later entries override this, so you might need to move
    # it further down)
    %sudo ALL=(ALL) ALL
    #
    #includedir /etc/sudoers.d

    # Members of the admin group may gain root privileges
    %admin ALL=(ALL) ALL
    Have you modified this file in any way. It looks like only the groups sudo and admin have sudo rights.

    post the results of
    Code:
    getent group| grep admin
    and the results of
    Code:
    getent group| grep sudo
    -BAB1

  4. #4
    Join Date
    Mar 2011
    Location
    A land far, far, away...
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Guest Account is able to authenticate as root. Help!

    The results are as follows:

    lpadmin:x:111:user
    admin:x:119:user

    and

    sudo:x:27:

    respectively.

    I have been using the guest session that appears in the panel to the top right menu drop down in Ubuntu 10.10. (the icon looks like a switch) to get the guest session option, however, I am able to authenticate with super-user privileges with any account even if I remove all privileges through the add remove users/groups GUI that comes with Ubuntu.
    Last edited by ahears; July 2nd, 2011 at 01:46 AM.
    Links: Boot Info: How To | Grub 2 Basics: How To | Rootsudo | Marking Threads as SOLVED
    ---------------------------------------------
    Five out of six people like Russian Roulette...

  5. #5
    Join Date
    May 2008
    Location
    SoCal
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Guest Account is able to authenticate as root. Help!

    Quote Originally Posted by ahears View Post
    The results are as follows:

    lpadmin:111:nemisis
    admin:119:nemisis

    and

    sudo:27:

    respectively.
    This shows that sudo is not the culprit in regards to the root privileges being granted to the user account named guest. Did you create this account or was it there to begin with. Is this what we are talking about? Did you configure your guest account like this?

    I have been using the guest session that appears in the panel to the top right menu drop down in Ubuntu 10.10. (the icon looks like a switch) to get the guest session option, however, I am able to authenticate with super-user privileges with any account even if I remove all privileges through the add remove users/groups GUI that comes with Ubuntu.
    Explain what you mean by able to 'authenticate with super-user privileges".

    On a Ubuntu system authenticate means the user is verified as that user. This is a combination of user/pass. This is NOT authorization. Authorization is the rights you have to execute commands. Only root can authenticate as root when either logging in or switching users (su).

    Can you provide an example how you do this: "I am able to authenticate with super-user privileges with any account..."
    -BAB1

  6. #6
    Join Date
    Mar 2011
    Location
    A land far, far, away...
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Guest Account is able to authenticate as root. Help!

    It seems that when running a program that would normal require a administrative privilege that the system Guest account (known as a 'guest session') and the account I created named 'guest' can authenticate with sufficient privileges to successfully give themselves more permissions. This can be done through the 'Users and Groups' menu in the system menu. How can I prevent this? I want to fail authentication from all accounts except those belonging to the admin group. I am unable to, as the user can still enter a superuser password and modify system settings. I checked both of your links but I have tried both of them - removing all priveliges and the new 'guest' account AND the 'guest session' can still enter the superuser password and gain administrative permissions to make system changes.
    Last edited by ahears; June 28th, 2011 at 02:08 AM.
    Links: Boot Info: How To | Grub 2 Basics: How To | Rootsudo | Marking Threads as SOLVED
    ---------------------------------------------
    Five out of six people like Russian Roulette...

  7. #7
    Join Date
    May 2008
    Location
    SoCal
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Guest Account is able to authenticate as root. Help!

    Quote Originally Posted by ahears View Post
    It seems that when running a program that would normal require a administrative privilege that the system Guest account (known as a 'guest session') and the account I created named 'guest' can authenticate with sufficient privileges to successfully give themselves more permissions. This can be done through the 'Users and Groups' menu in the system menu. How can I prevent this? I want to fail authentication from all accounts except those belonging to the admin group. I am unable to, as the user can still enter a superuser password and modify system settings. I checked both of your links but I have tried both of them - removing all priveliges and the new 'guest' account AND the 'guest session' can still enter the superuser password and gain administrative permissions to make system changes.
    If this is possible: "the user can still enter a superuser password...". Then you have enabled the root password. Ubuntu's default is to have not allow superuser access via a root password.

    If you enable the root password you have implied that any user who knows the password can use it. As a start, I would deny anyone from having the ability to log in to the system as root. The only avenue to root status should be with su. The whole idea of sudo is to control who can use su to gain root status.

    I think this might be a bit circular, but you might try using sudo to limit who has the right to use the command su (/bin/su) after removing root login capability. Sudo is more powerful that just letting some users run commands as root.

    On the other hand if you allow guests on you system it is in peril at all times. Physical access = 0 security.
    -BAB1

  8. #8
    Join Date
    Mar 2011
    Location
    A land far, far, away...
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Guest Account is able to authenticate as root. Help!

    I think you are right about the root password, however how do I remove it and only allow one user to use it for upgrades and system changes? I have already exhausted my expertise in this area. Oh, and I am using gksudo and sudo to gain superuser priveliges and there is no root account. It's only me and the guest, but the guest with no priveliges can gain priveliges by using my password from my account as I am the admin. Hang on I gotta read my own links MORE but I have done everything, I must be missing something...


    Running synaptic as guest will fail even if I get the password correct but I am still able to get in the user and groups menu and grant myself admin priveliges (by entering the password for my account) from the menu and then get into the disk janitor, network tools, disk utility, mount and unmount and even delete partitions and rename drives!!! It is still a huge security problem. Maybe I'm looking at this all wrong, but shouldn't the privileges be limited to a designated account, and not available system wide?
    Last edited by ahears; June 28th, 2011 at 07:01 PM.
    Links: Boot Info: How To | Grub 2 Basics: How To | Rootsudo | Marking Threads as SOLVED
    ---------------------------------------------
    Five out of six people like Russian Roulette...

  9. #9
    Join Date
    May 2008
    Location
    SoCal
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Guest Account is able to authenticate as root. Help!

    Quote Originally Posted by ahears View Post
    I think you are right about the root password, however how do I remove it and only allow one user to use it for upgrades and system changes? I have already exhausted my expertise in this area. Oh, and I am using gksudo and sudo to gain superuser priveliges and there is no root account. It's only me and the guest, but the guest with no priveliges can gain priveliges by using my password from my account as I am the admin. Hang on I gotta read my own links MORE but I have done everything, I must be missing something...
    Yes you are missing the whole idea. When you use sudo or su (or for the GUI gksudo or gksu) you are not gaining privileges. With sudo you are executing a command as root (root is doing the execution). When you use su you are switching users (su does NOT mean super user). You can switch to another mortal user if you know that users password. If I am logged in as jon (jon@here:~$) and I use the command su like this
    Code:
    jon@here:~$su bill
    and use Bill's password, I am now using the user bill's account. I am not assuming his privileges in my account. The prompt should look like this
    Code:
    bill@here:/home/jon$
    This is because I am still at the same location I was before I issued the su command. If I issue this command
    Code:
    bill@here:/home/jon$cd
    I will move to the user bill's home directory (because I am in essence bill) and the prompt will be
    Code:
    bill@here:~$
    If you issue this command
    Code:
    ]bill@here:~$pwd
    You will see that you are at
    Code:
    /home/bill
    To exit form bill (bill's shell) you can do this at the prompt
    Code:
    exit
    Now you will be back to jon's shell and prompt.

    All this leads to how you are using sudo and who you think you are. You the person is not whom we are talking about. The you is the user account and how that works with sudo or su.

    With sudo in the Ubuntu default state the mortal user (jon or bill) if they are in the admin group can run ANY command as root. This can be configured to a SPECIFIC command and a different group. You could for instance allow the user bill to run only the command "sudo reboot" as root (the only way it will work is as root). Sudo stand for switch user (and) do...

    I suggest you read read up on sudo and su. You can start here.

    Running synaptic as guest will fail even if I get the password correct but I am still able to get in the user and groups menu and grant myself admin priveliges (by entering the password for my account) from the menu and then get into the disk janitor, network tools, disk utility, mount and unmount and even delete partitions and rename drives!!! It is still a huge security problem. Maybe I'm looking at this all wrong, but shouldn't the privileges be limited to a designated account, and not available system wide?
    Read the above. The right to use sudo is by default based on an account and it is system wide. Like I said it can be changed. Read the tutorial.

    On last thing. Always use the command visudo to edit the sudoers file. It handles the formating and the syntax. You will just mess up the sudoers file if you use any text editor without visudo. By default visudo invokes nano as the editor. Do not ever invoke nano directly on the sudoers file. See here for info on changing the editor.
    Last edited by bab1; June 29th, 2011 at 01:25 AM.
    -BAB1

  10. #10
    Join Date
    Mar 2011
    Location
    A land far, far, away...
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Guest Account is able to authenticate as root. Help!

    Quote Originally Posted by bab1 View Post
    Yes you are missing the whole idea. When you use sudo or su (or for the GUI gksudo or gksu) you are not gaining privileges. With sudo you are executing a command as root (root is doing the execution). When you use su you are switching users (su does NOT mean super user). You can switch to another mortal user if you know that users password. If I am logged in as jon (jon@here:~$) and I use the command su like this
    Code:
    jon@here:~$su bill
    and use Bill's password, I am now using the user bill's account. I am not assuming his privileges in my account. The prompt should look like this
    Code:
    bill@here:/home/jon$
    This is because I am still at the same location I was before I issued the su command. If I issue this command
    Code:
    bill@here:/home/jon$cd
    I will move to the user bill's home directory (because I am in essence bill) and the prompt will be
    Code:
    bill@here:~$
    If you issue this command
    Code:
    ]bill@here:~$pwd
    You will see that you are at
    Code:
    /home/bill
    To exit form bill (bill's shell) you can do this at the prompt
    Code:
    exit
    Now you will be back to jon's shell and prompt.

    All this leads to how you are using sudo and who you think you are. You the person is not whom we are talking about. The you is the user account and how that works with sudo or su.

    With sudo in the Ubuntu default state the mortal user (jon or bill) if they are in the admin group can run ANY command as root. This can be configured to a SPECIFIC command and a different group. You could for instance allow the user bill to run only the command "sudo reboot" as root (the only way it will work is as root). Sudo stand for switch user (and) do...

    I suggest you read read up on sudo and su. You can start here.



    Read the above. The right to use sudo is by default based on an account and it is system wide. Like I said it can be changed. Read the tutorial.

    On last thing. Always use the command visudo to edit the sudoers file. It handles the formating and the syntax. You will just mess up the sudoers file if you use any text editor without visudo. By default visudo invokes nano as the editor. Do not ever invoke nano directly on the sudoers file. See here for info on changing the editor.
    Ok, so just to be safe I read all of the documentation and I understand all of it. I have even changed my 'sudo visudo' command to execute my favorite editor for the '/etc/sudoers' file, and I have listed my '/etc/sudoers' file at the top of the listing. My problem is still that I can use the System >> Administration >> Users and Groups >> Advanced Settings >> User Privileges >> Administer the System check-box to gain administrator privileges from any account using an admin password, thus permanently gaining the ability to elevate to an Administrator, and then gain access to the list of user names and other critical information (without permission to use this password). Someone could easily get my password and still not know the name of my account (which is the only account in the admin group) and use it to gain Administrator status. Even a guest that is not allowed to Switch Users could after using that password. The Ubuntu Gui doesn't seem secure to me. Maybe it's 'gksu' and not sudo that is the problem. This only occurs in the Ubuntu GUI...
    Last edited by ahears; June 29th, 2011 at 06:53 PM.
    Links: Boot Info: How To | Grub 2 Basics: How To | Rootsudo | Marking Threads as SOLVED
    ---------------------------------------------
    Five out of six people like Russian Roulette...

Page 1 of 3 123 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •