Wednesday, August 9, 2017

permissions - Why system keep ask to enter password for the first member of sudo group instead of deny command execution


We have OS ubuntu 18.04. There are 2 users presented :
user1, user2. user1 is administrative account and is member of sudo group:
uid=1010(user1) gid=1010(user1) groups=1010(user1),27(sudo),110(lxd). user2 is a regular user uid=1000(user2) gid=1000(user2) groups=1000(user2).
Now, in /etc/sudoers file i have a default record for sudo group:


# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

As well as special commands allowed to be executed with administrative(root) rights for user2:


Cmnd_Alias CMD_RELOAD_PHP_FPM = /bin/systemctl reload php7.0-fpm, /bin/systemctl reload php7.2-fpm
user2 ALL=(root:root) NOPASSWD: CMD_RELOAD_PHP_FPM

At this step all is fine user2 can execute everything specified in Cmnd_Alias without entering password, so work as expected.


But when user2 tries to execute something he is not allowed to he gets prompt to enter, attention, user1 password. Not root, not his own user2, but user1 password, instead of silently or informatively denying such action:


user2@someserver:~$ /bin/systemctl restart 
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
Authentication is required to restart 'someservice.service'.
Authenticating as: user1
Password:

user1 is the only member of sudo group.


grep 'sudo' /etc/group
sudo:x:27:user1
grep 'sudo' /etc/gshadow
sudo:*::user1

If user1 is removed from sudo group and user2 tries to execute same command, then he is asked to enter root password.


How can i change this behaviour, so user2 attempts would be denied instead of asking him to enter password ?



I have not enough knowledge about polkit, but it seems to be a cause of such behavior.


Line which responsible for that is :


AdminIdentities=unix-group:sudo;unix-group:admin

inside the /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf file


Commenting of the AdminIdentities=... line and restarting polkit daemon returns default behavior where root password is required for service restart.
Not sure if it's safe, or not. Probably some of community members could explain better.


Also it seems that I've found the place where default actions for systemd are described if unprivileged user is trying to perform some action with the systemd service.
It's inside the file: /usr/share/polkit-1/actions/org.freedesktop.systemd1.policy


If I'm setting values like this:



        Manage system services or other units
        Authentication is required to manage system services or other units.
        
                no
                no
                no


i start to get Access denied message on trying to restart service as unprivileged user.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

11.10 - Can't boot from USB after installing Ubuntu

I bought a Samsung series 5 notebook and a very strange thing happened: I installed Ubuntu 11.10 from a usb pen drive but when I restarted (...