You are not logged in.

Pages: 1

#1 2020-04-16 10:33:15

Skunky
Member
Registered: 2018-01-25
Posts: 230

[Solved] Prevent " authenticating as: " with unprivileged users (PAM)

I'm trying to sandbox a user, but when i run for example "systemctl stop dhcpcd" polkit just ask for a priviliged user password (i just want to deny permission)
e.g. if i run "systemctl stop dhcpcd"

[test@arch ~]$ systemctl stop dhcpcd
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ====
Authentication is required to stop 'dhcpcd.service'.
Authenticating as: skunky
Password:
==== AUTHENTICATION COMPLETE ====
[test@arch ~]$

groups for "test"

[test@arch ~]$ groups
test

groups for "skunky"

skunky@arch ~ % groups                                                                                                                                             [0]
vboxusers autologin wheel skunky

Here is my /etc/pam.d/su

#%PAM-1.0
auth		sufficient	pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth		sufficient	pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth		required	pam_wheel.so use_uid
auth		required	pam_unix.so
account		required	pam_unix.so
session		required	pam_unix.so

Here is my /etc/pam.d/su-l

#%PAM-1.0
auth		sufficient	pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth		sufficient	pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth		required	pam_wheel.so use_uid
auth		required	pam_unix.so
account		required	pam_unix.so
session		required	pam_unix.so

When i try to stop units with sudo i get not in the sudoers file as expected, any hint appreciated!

Last edited by Skunky (2020-04-16 15:17:49)

Offline

#2 2020-04-16 11:18:42

WorMzy
Forum Moderator
From: Scotland
Registered: 2010-06-16
Posts: 11,863
Website

Re: [Solved] Prevent " authenticating as: " with unprivileged users (PAM)

https://wiki.archlinux.org/index.php/Polkit

Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD

Making lemonade from lemons since 2015.

Online

#3 2020-04-16 12:33:25

Skunky
Member
Registered: 2018-01-25
Posts: 230

Re: [Solved] Prevent " authenticating as: " with unprivileged users (PAM)

I read the wiki page once again (specifically https://wiki.archlinux.org/index.php/Po … identities ) and i managed to get polkit to ask for root password instead of "skunky" with /etc/polkit-1/rules.d/49-rootpw_global.rules but i have no clue on how to disable it completely, thank you very much for your time

Offline

#4 2020-04-16 15:14:16

Skunky
Member
Registered: 2018-01-25
Posts: 230

Re: [Solved] Prevent " authenticating as: " with unprivileged users (PAM)

I was playing around with authorization rules and managed to achieve my goal, i created 

 /etc/polkit-1/rules.d/00-early-checks.rules

and wrote

 polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.systemd1.manage-units" &&
        subject.isInGroup("test")) {
        return polkit.Result.NO;
    }
});

I'm pretty sure i had already tried this but maybe there was a typo, marking as solved

Offline

Pages: 1

Board footer

Powered by FluxBB