Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Any user can use Administrator password in GUI to Gain Admin privileges.

  1. #1
    Join Date
    Mar 2011
    Location
    A land far, far, away...
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Any user can use Administrator password in GUI to Gain Admin privileges.

    Any user can use Administrator password in GUI to Gain Admin privileges. I am the administrator, and any normal desktop user can use the password from my account to grant system changes, mount drives, etc.

    My /etc/sudoers file is as follows:


    # /etc/sudoers
    #
    # This file MUST be edited with the 'visudo' command as root.
    #
    # See the man page for details on how to write a sudoers file.
    #
    Defaults env_reset,editor=/usr/bin/gedit,timestamp_timeout=0

    # Host alias specification

    # User alias specification

    # Cmnd alias specification

    # User privilege specification
    root ALL=(ALL) ALL

    # Allow members of group sudo to execute any command after they have
    # provided their password
    # (Note that later entries override this, so you might need to move
    # it further down)
    %sudo ALL=(ALL) ALL
    #
    #includedir /etc/sudoers.d

    # Members of the admin group may gain root privileges
    %admin ALL=(ALL) ALL
    I have created several accounts for testing, removed all privileges, and am still able to gain Administrator status by using the admin password through the GUI while logged in as another user. Programs like synaptic won't run (the process cancels itself) but System >> Administration >> Users and Groups will allow access, and with the right password any user can elevate themselves. This is not available on the command line. Root account does not exist, and I am the only admin. I want an account open to guests however I can't do this if they can elevate. How do I stop others from being able to elevate to make changes or gain Administrator privileges? Please help.
    Last edited by ahears; July 2nd, 2011 at 01:50 AM.
    Links: Boot Info: How To | Grub 2 Basics: How To | Rootsudo | Marking Threads as SOLVED
    ---------------------------------------------
    Five out of six people like Russian Roulette...

  2. #2
    Join Date
    Feb 2007
    Location
    Romania
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Any user can use Administrator password in GUI to Gain Admin privileges.

    Quote Originally Posted by ahears View Post
    This is not available in the command line.
    Yes it is:
    Code:
    su - admin-username
    Quote Originally Posted by ahears View Post
    How do I stop others from being able to elevate to make changes or gain Administrator privileges? Please help.
    Use a strong password and don't tell them what it is.

    Quote Originally Posted by ahears View Post
    I want an account open to guests
    Search for `Ubuntu kiosk mode'

  3. #3
    Join Date
    Jun 2011
    Location
    The Shadow Gallery
    Beans
    6,807

    Re: Any user can use Administrator password in GUI to Gain Admin privileges.

    Quote Originally Posted by ahears View Post
    . I want an account open to guests however I can't do this if they can elevate. How do I stop others from being able to elevate to make changes or gain Administrator privileges? Please help.

    Dont let them know the password and make yours a strong one ?

    of course they can elevate if they know the password, if someone else has your front door key they can open your front door ?

    or am i missing something ?
    Feel Free to Bitcoin Tip: 135Rp4pwwYTHEJ4u8bxKaDQiC91N9LUoV2

    Backtrack - Giving machine guns to monkeys since 2006
    Kali-Linux - Adding a grenade launcher to the machine guns since 2013

  4. #4
    Join Date
    Mar 2011
    Location
    A land far, far, away...
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Any user can use Administrator password in GUI to Gain Admin privileges.

    Fair enough. Maybe I'm trying too hard. I want specific programs to fail execution dispite entering an admin password, like Synaptic. It fails even if I get the password correct. Why can't I force System >> Administration >> Users and Groups to behave the same? I really not willing to give up yet, but if I must... I must.
    Links: Boot Info: How To | Grub 2 Basics: How To | Rootsudo | Marking Threads as SOLVED
    ---------------------------------------------
    Five out of six people like Russian Roulette...

  5. #5
    Join Date
    Dec 2007
    Location
    California
    Beans
    4,900
    Distro
    Ubuntu 13.04 Raring Ringtail

    Re: Any user can use Administrator password in GUI to Gain Admin privileges.

    Quote Originally Posted by haqking View Post
    Dont let them know the password and make yours a strong one ?
    +1, if they know your password what's to prevent them from simply logging in as you anyways.
    "You can't expect to hold supreme executive power just because some watery tart lobbed a sword at you"

    "Don't let your mind wander -- it's too little to be let out alone."

  6. #6
    Join Date
    Mar 2011
    Location
    A land far, far, away...
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Any user can use Administrator password in GUI to Gain Admin privileges.

    Quote Originally Posted by jerome1232 View Post
    +1, if they know your password what's to prevent them from simply logging in as you anyways.
    Yeah...I know, I was thinking of allowing a guest to remote login...bla...bla... but I didn't want any user to get prompted for a password, I simply wanted the attempt to fail (I.e Synaptic), even if they get the password right. As they say; "A computer system is only as secure as its' weakest user."
    Last edited by ahears; July 2nd, 2011 at 02:39 AM.
    Links: Boot Info: How To | Grub 2 Basics: How To | Rootsudo | Marking Threads as SOLVED
    ---------------------------------------------
    Five out of six people like Russian Roulette...

  7. #7
    Join Date
    Feb 2010
    Location
    White Plume Mountain
    Beans
    Hidden!
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Any user can use Administrator password in GUI to Gain Admin privileges.

    Moved to "Security Discussions"
    Thank you for your contributions. "So long and thanks for the fish!"

  8. #8
    Join Date
    Feb 2007
    Location
    Romania
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Any user can use Administrator password in GUI to Gain Admin privileges.

    Quote Originally Posted by ahears View Post
    Fair enough. Maybe I'm trying too hard. I want specific programs to fail execution dispite entering an admin password, like Synaptic. It fails even if I get the password correct. Why can't I force System >> Administration >> Users and Groups to behave the same? I really not willing to give up yet, but if I must... I must.
    synaptic uses sudo (more precisely gksu which is a GUI frontend for sudo).

    users-admin (aka System >> Administration >> Users and Groups), like most modern GUI applications, uses polkit (PolicyKit).

  9. #9
    Join Date
    Mar 2011
    Location
    A land far, far, away...
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Any user can use Administrator password in GUI to Gain Admin privileges.

    Quote Originally Posted by sisco311 View Post
    synaptic uses sudo (more precisely gksu which is a GUI frontend for sudo).

    users-admin (aka System >> Administration >> Users and Groups), like most modern GUI applications, uses polkit (PolicyKit).
    GREAT ANSWER!! Thank you, it helps to understand! I knew they were different.

    Now, for the tough question: Where do I get a Policy Kit that I can configure easily?

    And:

    What is the reason for the differences in how the security is controlled?


    synaptic uses sudo (more precisely gksu which is a GUI frontend for sudo).

    users-admin (aka System >> Administration >> Users and Groups), like most modern GUI applications, uses polkit (PolicyKit).
    Last edited by ahears; July 11th, 2011 at 11:31 PM.
    Links: Boot Info: How To | Grub 2 Basics: How To | Rootsudo | Marking Threads as SOLVED
    ---------------------------------------------
    Five out of six people like Russian Roulette...

  10. #10
    Join Date
    Mar 2006
    Location
    Williams Lake
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Any user can use Administrator password in GUI to Gain Admin privileges.

    If anyone has physical access to your computer, they don't have to guess your password, they already have root access with a simple reboot.

Page 1 of 2 12 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •