[Bug 339925] New: yast startup from a normal user requires root password regardless of sudo requirement
https://bugzilla.novell.com/show_bug.cgi?id=339925 Summary: yast startup from a normal user requires root password regardless of sudo requirement Product: openSUSE 10.3 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Usability AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: ajorgensen@novell.com QAContact: qa@suse.de Found By: --- If I configure sudo to require my own password (or no password) to run administrative commands, a dialog requesting the root password is still shown. The password required should be keyed off of whatever sudo requires. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=339925#c1 Mark Gordon <mtgordon@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mtgordon@novell.com Status|NEW |NEEDINFO Info Provider| |ajorgensen@novell.com --- Comment #1 from Mark Gordon <mtgordon@novell.com> 2007-11-08 09:30:09 MST --- What line(s) do you have in /etc/sudoers to enable this? I've gotten it to work with the following line in /etc/sudoers: mtgordon ALL = NOPASSWD: /usr/bin/gnomesu /sbin/YaST2 This requires keeping the DISPLAY environment variable, and for some reason it's giving me the Qt interface, but it's functional. If you're willing to run the ncurses version of YaST, the gnomesu part is optional. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=339925#c2 --- Comment #2 from Andrew Jorgensen <ajorgensen@novell.com> 2007-11-08 10:38:47 MST --- Hi Mark, I think you're trying to solve a specific problem while I'm talking about a general problem. I will try to give my specific example but keep in mind that I'm not interested in the specific case but the general problem. In my sudoers file I commented out #Defaults targetpw #ALL ALL=(ALL) ALL Uncommented %wheel ALL=(ALL) SETENV: ALL And added myself to the wheel group. Now when I use sudo from the command line I am prompted for /my/ password rather than root's password. Unfortunately gnomesu doesn't appear to use sudo at all but just su. This means that even though I can run administrative commands by giving my own password I will still be prompted for the root password.
From a sysadmin perspective this my users still can't administer their own systems without the root password.
The best case would be if gnomesu used sudo instead of su so that whatever settings the administrator put in the sudoers file would be reflected in the behavior of gnomesu. Need any more info? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=339925#c3 Mark Gordon <mtgordon@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|Normal |Enhancement Summary|yast startup from a normal user requires root |can't make sudo require nonroot user's password |password regardless of sudo requirement | --- Comment #3 from Mark Gordon <mtgordon@novell.com> 2007-11-08 13:55:07 MST --- Ah, now I understand. You have a line like the following? Defaults targetpw
From sudoers(5):
targetpw If set, sudo will prompt for the password of the user spec‐ ified by the -u flag (defaults to root) instead of the password of the invoking user. Note that this precludes the use of a uid not listed in the passwd database as an argument to the -u flag. This flag is off by default. If I comment that line out (using visudo), I'm prompted for my own password rather than the root password. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=339925#c4 Andrew Jorgensen <ajorgensen@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|can't make sudo require nonroot user's password |can't make gnomesu / kdesu require non-root | |user's password --- Comment #4 from Andrew Jorgensen <ajorgensen@novell.com> 2007-11-08 14:52:36 MST --- Getting closer, Mark. The problem isn't in sudo though, it's in gnomesu / kdesu. Any other questions? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=339925#c5 Andrew Jorgensen <ajorgensen@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW Info Provider|ajorgensen@novell.com | --- Comment #5 from Andrew Jorgensen <ajorgensen@novell.com> 2007-11-08 15:15:03 MST --- Sorry, didn't know about this checkbox to remove the needinfo status. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=339925#c6 Mark Gordon <mtgordon@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |ajorgensen@novell.com --- Comment #6 from Mark Gordon <mtgordon@novell.com> 2007-11-08 15:37:12 MST --- Remembering that you want a very generic functionality, and looking back at your previous sudoers excerpts, I'm able to achieve the general effect (wheel members can run anything using their own passwords) by changing your line: %wheel ALL=(ALL) SETENV: ALL to: %wheel ALL= SETENV: ALL If that doesn't work for you, please describe your current problem in detail. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
From a user perspective the bug is that when I have sudo configured as described I can run administrative commands from a command line using sudo and am prompted only for my own password. If, however, I click on the YaST icon in
https://bugzilla.novell.com/show_bug.cgi?id=339925#c7 Andrew Jorgensen <ajorgensen@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW Info Provider|ajorgensen@novell.com | --- Comment #7 from Andrew Jorgensen <ajorgensen@novell.com> 2007-11-08 17:13:14 MST --- The change you suggest doesn't appear to change anything at all for me. But more importantly I must still not be communicating this very well. sudo works fine. There are no problems with sudo. My sudo configuration is as I like it (as described above) and works perfectly with sudo. The bug is that gnomesu and kdesu cannot be configured to prompt for the user's own password (as sudo can) but require the root password regardless of the configuration in /etc/sudoers. the slab I am prompted for the root password. The ideal situation would be if gnomesu / kdesu used sudo and /etc/sudoers so that the system administrator can control what users have what access GUI or CLI from one place and does not need to give the root password to users who are not comfortable with CLI and need to use YaST. I hope that make this more clear. Thanks! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=339925#c8 Mark Gordon <mtgordon@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |ajorgensen@novell.com --- Comment #8 from Mark Gordon <mtgordon@novell.com> 2007-11-09 13:02:49 MST --- My current understanding of the problem, again trying to say what you didn't. 1) gnomesu and kdesu act like su. You want something that acts like sudo (i.e. it follows rules defined in /etc/sudoers), and gnomesu/kdesu aren't the tools you're looking for. You want a different tool, or you want gnomesu/kdesu to add functionality so that they can emulate sudo as well as su. Frankly, "su doesn't behave exactly like sudo" isn't a bug, but asking for a GUI sudo is a reasonable enhancement request. 2) Specifically, you want something that you can run through a launcher that will bring up a GUI dialog for authentication when needed. sudo may work fine with YaST etc., but only if you're willing to work from a terminal, and you shouldn't have to. Is this a fair representation? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=339925#c9 Andrew Jorgensen <ajorgensen@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW Info Provider|ajorgensen@novell.com | --- Comment #9 from Andrew Jorgensen <ajorgensen@novell.com> 2007-11-09 13:25:16 MST --- I think you've got it exactly now, except that I'd rather put emphasis on the idea of having a single place for a sysadmin to control this stuff (sudoers) also work for the GUI. There is a decent tool for this called GKsu <http://www.nongnu.org/gksu/> (at least for gnome) and there's probably one for kde as well. For this to work completely xdg-su would have to check for gksu's existance and use it if available. Or like you suggest gnomesu and kdesu might be modified. Thanks! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=339925#c10 Mark Gordon <mtgordon@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team-screening@forge.provo.novell.com |bnc-team-gnome@forge.provo.novell.com Component|Usability |GNOME --- Comment #10 from Mark Gordon <mtgordon@novell.com> 2007-11-09 14:52:34 MST --- XDG-SU(1) XDG-SU(1) NAME xdg-su - run a GUI program as root after prompting for the root password Again, su != sudo. Maybe there needs to be an xdg-sudo. One problem that would remain is that the su-based functionality is widely integrated (at least in Gnome, dunno about KDE) through libgnomesu. Digging a bit deeper, I find that libgnomesu once had support for a sudo backend, but that code was removed for technical reasons: http://mail.gnome.org/archives/desktop-devel-list/2004-October/msg00425.html That thread also has some discussion of how gksu works and why libgnomesu has chosen not to take that approach. It might be worth looking into how Debian (and, by extension, Ubuntu) have worked around those problems; it's possible they've patched sudo. I'll let the Gnome team take a look at this first. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=339925#c11 Carlos Lange <carlos.lange@ualberta.ca> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |carlos.lange@ualberta.ca --- Comment #11 from Carlos Lange <carlos.lange@ualberta.ca> 2007-11-25 11:54:36 MST --- If I may chime in, hoping it helps. The behaviour you are seeking is exactly what kdesu does. As I reported in Bug 340311, kdesu uses sudo and it will accept only the user's password for authentication, if you use: Defaults:%wheel authenticate %wheel machine = PASSWD: ALL My issue there is that the pop-up does not mention correctly which password is required. Maybe your bug here applies to gnomesu only (which I don't use). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=339925 User casualprogrammer@gmail.com added comment https://bugzilla.novell.com/show_bug.cgi?id=339925#c12 Casual J. Programmer <casualprogrammer@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |casualprogrammer@gmail.com Status|NEW |NEEDINFO Info Provider| |ajorgensen@novell.com --- Comment #12 from Casual J. Programmer <casualprogrammer@gmail.com> 2008-06-11 15:23:24 MDT --- Is this still an issue in 11.0 ? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=339925 User ajorgensen@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=339925#c13 Andrew Jorgensen <ajorgensen@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW Info Provider|ajorgensen@novell.com | Summary|can't make gnomesu / kdesu require non-root |can't make gnomesu require non-root user's |user's password |password --- Comment #13 from Andrew Jorgensen <ajorgensen@novell.com> 2008-06-12 09:18:24 MDT --- Of course it's still an issue. Please don't use needinfo for things that can be easily verified yourself. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=339925 User casualprogrammer@gmail.com added comment https://bugzilla.novell.com/show_bug.cgi?id=339925#c14 --- Comment #14 from Casual J. Programmer <casualprogrammer@gmail.com> 2008-06-12 09:39:43 MDT --- After > six month of inactivity, I think it is legitimate to ask, also you did not say yet whether it's an issue in 11.0, bug is filed against 10.3. If I could have reproduced it locally, I wouldn't have asked. NEEDINFO is there to request information from someone, it succeeded, so how can it be wrong ? After not inquiring yourself for that long, you should be more relaxed :-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=339925 User ajorgensen@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=339925#c15 --- Comment #15 from Andrew Jorgensen <ajorgensen@novell.com> 2008-06-12 12:07:22 MDT --- Regarding inactivity I suppose you're right. And you did get the info you wanted. I still say it's impolite to not try to verify the bug before presuming it might be fixed. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=339925 Federico Mena Quintero <federico@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=339925 User casualprogrammer@gmail.com added comment https://bugzilla.novell.com/show_bug.cgi?id=339925#c16 Casual J. Programmer <casualprogrammer@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |NORESPONSE --- Comment #16 from Casual J. Programmer <casualprogrammer@gmail.com> 2009-01-14 10:47:23 MST --- OK, after another 6 month of inactivity closing as noresponse. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=339925 User ajorgensen@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=339925#c17 Andrew Jorgensen <ajorgensen@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|NORESPONSE | --- Comment #17 from Andrew Jorgensen <ajorgensen@novell.com> 2009-01-14 11:39:19 MST --- reopening, no response was needed that wasn't given so noresponse is hardly a valid resolution in this case. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=339925 User casualprogrammer@gmail.com added comment https://bugzilla.novell.com/show_bug.cgi?id=339925#c18 --- Comment #18 from Casual J. Programmer <casualprogrammer@gmail.com> 2009-01-14 11:44:33 MST --- OK Andrew, I gather you fix it then ? Or are you just keeping it open ? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=339925 User ajorgensen@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=339925#c19 --- Comment #19 from Andrew Jorgensen <ajorgensen@novell.com> 2009-01-14 12:12:39 MST --- Nope, I'm the reporter, just keeping it open because it's still broken and I'd like to see it fixed some day. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=339925 User casualprogrammer@gmail.com added comment https://bugzilla.novell.com/show_bug.cgi?id=339925#c20 --- Comment #20 from Casual J. Programmer <casualprogrammer@gmail.com> 2009-01-14 12:17:36 MST --- Sorry mate, good luck with getting it solved ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com