Arch Linux

poop5757

Member

Registered: 2019-06-08

Posts: 2

restrict all access elevation commands/features to one admin user

restrict all access elevation commands/features to one admin user

There is one scope of vulnerability - weak password, or danger of interception of password. Many access elevation apps has vast vulnerability of keylogging, so its easy to catch even root password.
I have idea:
This idea is very uncomfortable. Make happen so only one administrator's account/user can use access elevation mechanisms, such as sudo, su, pkexec, polkit etc. This to reduce possibility of explained problem.

i discover for myself 3 of access elevation mechanisms: su, sudo, polkit. Each of them have /etc/pam.d/ configuration.
For all of them i use:

auth          required   pam_wheel.so

I put it to appropriate file in /etc/pam.d/ in the beginning of file.

/etc/pam.d/su-l

#%PAM-1.0
auth		sufficient	pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth		sufficient	pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth		required	pam_wheel.so use_uid
auth		required	pam_unix.so
account		required	pam_unix.so
session		required	pam_unix.so

/etc/pam.d/su

#%PAM-1.0
auth		sufficient	pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth		sufficient	pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth		required	pam_wheel.so use_uid
auth		required	pam_unix.so
account		required	pam_unix.so
session		required	pam_unix.so

/etc/pam.d/polkit-1

#%PAM-1.0

auth          required   pam_wheel.so
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    include      system-auth

One question is: Polkit have one problem for which i opened a bug #62847. Is i am right with it? For Arch Linux is this a bug or not? Maybe Archlinux have some feature for get round of this "bug"?
Second question: Is there any over access elevation mechanisms besides su, sudo, polkit.

Trilby

Inspector Parrot

Registered: 2011-11-29

Posts: 29,523

Website

Re: restrict all access elevation commands/features to one admin user

Second question: Is there any over access elevation mechanisms besides su, sudo, polkit.

Any others?  Sure, there could be countless many.  But which ones do you have installed?  I gather you have installed sudo and polkit as those are not part of a base arch linux install either.

---

"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

poop5757

Member

Registered: 2019-06-08

Posts: 2

Re: restrict all access elevation commands/features to one admin user

I read wiki Security#Allow_only_certain_users.
There is no /etc/pam.d/polkit-1, but is for "su". Maybe might to add it or better wariation.
I agree, could be countless many solution for access elevation, but for average case? It will be hurtful to install for exemple some video player, and then along with it some sort of "su" command. Supposing, i believe that some "john" user cannot use root password even if he know password. So i make dummy password for root or no password at all. And then, many things may take place...

loqs

Member

Registered: 2014-03-06

Posts: 17,326

Re: restrict all access elevation commands/features to one admin user

If there is no matching configuration for a pam service /etc/pam.d/other will be used.
[1] Should cover what you initially asked for but it may well lead to unexpected breakage.

[1] https://git.kernel.org/pub/scm/linux/ke … t?h=v5.1.7