Linux MintThis forum is for the discussion of Linux Mint.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
With that set, even if they know your password, they can not log in as another user if they are not member of the sudo group. So, they will probably not be able to do anything even if they guess your password.
Exactly. PAM serves just as another layer, to prevent others from "guessing" your password.
Ok, maybe this is worth a shot. How do I use it? Do I just go into terminal as sudo and type what was written?
I am running Linux Mint 18.1 with Mate, but I don't know which version of Mate.
Linux Mint 18 is based on Ubuntu 16.04, so you do have pkexec to deal with.
Try the instructions on the Ask Ubuntu link given above. Going that route, you'll have to add some file (ending in .pkla) in the directory /var/lib/polkit-1/localauthority/50-local.d/ to override some of the settings in /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla
PAM can be used as a choke point, but it looks like your problem is coming from pkexec.
Yes, like that and no, nothing special about sudo nano.
Ok, I successfully edited /etc/pam.d/su and saved it.
I restarted and went into my desktop (non-sudo) account.
I used the Synaptic GUI and it asked for my Administration Account password, which is the only sudo-enabled account I have. It still let me into Synaptic.
This is so frustrating.
Last edited by MBA Whore; 06-18-2017 at 01:58 PM.
Reason: misspelling
Linux Mint 18 is based on Ubuntu 16.04, so you do have pkexec to deal with.
Try the instructions on the Ask Ubuntu link given above. Going that route, you'll have to add some file (ending in .pkla) in the directory /var/lib/polkit-1/localauthority/50-local.d/ to override some of the settings in /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla
PAM can be used as a choke point, but it looks like your problem is coming from pkexec.
Wow, now I am beginning to remember why I left Linux several years ago. This should be easier for noobs like myself.
Does Debian or any other distro have this pkexec issue?
All I want is for only my sudo account to be able to make system changes. I don't want any other user to be able to "SU" or "SUDO" whether it is via command line or GUI.
Regarding the # (comment) in nano, what is the difference between leaving # and removing #?
The nano page has different things written regarding # which make it confusing. I don't understand it.
No, it does not mean that. All it means is that that specific command can be used by unprivileged user. And in your case, it simply means that mint package manager will check for updates. He can not install new packages, nor change system in any way except in what is allowed to him by default. Linux by it's nature is very secure and restrictive in what unprivileged users can, or can not do. Policy kit agent ( that pkexec thingy is just part of it ) is way to give unprivileged users some things that you can expect that every user on desktop/laptop should be able to do. Like, for example, logging into wifi network, automatically mounting usb/dvd... While that thing you encounter with synaptic may seem annoying, it is ok as long as other users do not have your password. And there is way to turn it off, though I do not have time now to bother with it. Would require lots of time investment in learning to write and edit various policy kit files. But it is on my very long to do list :P
Policy kit agent ( that pkexec thingy is just part of it ) is way to give unprivileged users some things that you can expect that every user on desktop/laptop should be able to do. Like, for example, logging into wifi network, automatically mounting usb/dvd...
Which can all be managed in a simpler, clearer manner using sudo. The syntax for sudoers is just EBNF and easy to learn if not already familiar.
PolicyKit apparently comes out of Red Hat and because of that and its other symptoms I wonder how many of its developers have ties to systemd. Regardless, PolicyKit is overly complex and that combined with its origins suggest that Red Hat is using it to make Linux so difficult as to take it out of the hands of anyone except full-time, Red Hat-trained, professionals.
One of their top executives made a statemet about complexity being a sales tactic. This looks like them making good on that threat.
Quote:
Originally Posted by dejank
While that thing you encounter with synaptic may seem annoying, it is ok as long as other users do not have your password. And there is way to turn it off, though I do not have time now to bother with it. Would require lots of time investment in learning to write and edit various policy kit files.
Yes, again, PolicyKit appears to be about making Linux complicated and hard to use.
HMBA Whore : however, between the Arch documentation and the pointer to the directory and one of the PolicyKit configuration files mentioned earlier you should be able to find the lines to change to remove the prompt the other users are getting. But keep in mind there is no "sudo password" just accounts that are authorized by PolicyKit (pkexec) to do an end-run around your settings.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.