If it has something like mate-terminal you can type mate-terminal --version to check it.

It is not far, just one simple edit away :P

Ok, maybe this is worth a shot. How do I use it? Do I just go into terminal as sudo and type what was written?

No, you use sudo nano /etc/pam.d/su and then edit that file. there will be line that contains this:

and you should edit it to look like described before. Do not forget to remove that comment #.

So I use sudo nano to make this:

# auth required pam_wheel.so

Look like that:

auth required pam_wheel.so group=sudo

Correct?

Is there anything special I should know about using "sudo nano", other than the standard caution applied while using sudo?

Yes, like that and no, nothing special about sudo nano.

Linux Mint 18 is based on Ubuntu 16.04, so you do have pkexec to deal with.

Try the instructions on the Ask Ubuntu link given above. Going that route, you'll have to add some file (ending in .pkla) in the directory /var/lib/polkit-1/localauthority/50-local.d/ to override some of the settings in /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla

PAM can be used as a choke point, but it looks like your problem is coming from pkexec.

Ok, I successfully edited /etc/pam.d/su and saved it.

I restarted and went into my desktop (non-sudo) account.

I used the Synaptic GUI and it asked for my Administration Account password, which is the only sudo-enabled account I have. It still let me into Synaptic.

This is so frustrating.

Wow, now I am beginning to remember why I left Linux several years ago. This should be easier for noobs like myself.

Does Debian or any other distro have this pkexec issue?

I ran this command: sudo -l

on my supposedly non-sudo, regular desktop user account and this is the output:


catoffline@CATLAP ~ $ sudo -l
Matching Defaults entries for catoffline on CATLAP:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User catoffline may run the following commands on CATLAP:
(root) NOPASSWD: /usr/lib/linuxmint/mintUpdate/checkAPT.py
catoffline@CATLAP ~ $


Does anyone know what that means?

It just gives you commands that your user may run. Run it with your privileged user and you will see difference.

dejank, and anyone else:

All I want is for only my sudo account to be able to make system changes. I don't want any other user to be able to "SU" or "SUDO" whether it is via command line or GUI.

Regarding the # (comment) in nano, what is the difference between leaving # and removing #?

The nano page has different things written regarding # which make it confusing. I don't understand it.

What is the difference between:

1) auth required pam_wheel.so group=sudo

2) # auth required pam_wheel.so group=sudo

dejank -

Yes, thank you but what I mean specifically is this line:

"(root) NOPASSWD: /usr/lib/linuxmint/mintUpdate/checkAPT.py"

Does that line mean the account has root access? How could that be if it is only a desktop user account?

No, it does not mean that. All it means is that that specific command can be used by unprivileged user. And in your case, it simply means that mint package manager will check for updates. He can not install new packages, nor change system in any way except in what is allowed to him by default. Linux by it's nature is very secure and restrictive in what unprivileged users can, or can not do. Policy kit agent ( that pkexec thingy is just part of it ) is way to give unprivileged users some things that you can expect that every user on desktop/laptop should be able to do. Like, for example, logging into wifi network, automatically mounting usb/dvd... While that thing you encounter with synaptic may seem annoying, it is ok as long as other users do not have your password. And there is way to turn it off, though I do not have time now to bother with it. Would require lots of time investment in learning to write and edit various policy kit files. But it is on my very long to do list :P

However, if you would like to spend some time to learn more about polkit, there is good read about it here: https://wiki.archlinux.org/index.php/Polkit

open a terminal and enter:

which pkexec

-------------------
Steve Stites

Which can all be managed in a simpler, clearer manner using sudo. The syntax for sudoers is just EBNF and easy to learn if not already familiar.

PolicyKit apparently comes out of Red Hat and because of that and its other symptoms I wonder how many of its developers have ties to systemd. Regardless, PolicyKit is overly complex and that combined with its origins suggest that Red Hat is using it to make Linux so difficult as to take it out of the hands of anyone except full-time, Red Hat-trained, professionals.

One of their top executives made a statemet about complexity being a sales tactic. This looks like them making good on that threat.

Yes, again, PolicyKit appears to be about making Linux complicated and hard to use.

HMBA Whore : however, between the Arch documentation and the pointer to the directory and one of the PolicyKit configuration files mentioned earlier you should be able to find the lines to change to remove the prompt the other users are getting. But keep in mind there is no "sudo password" just accounts that are authorized by PolicyKit (pkexec) to do an end-run around your settings.