gdm and sudo question

Adam C. Greenfield adam.greenfield at gmail.com
Fri Mar 11 12:00:13 CST 2005 

GDM runs as root so it can execute commands as root:

(pts/4) bastion% ps auxwww | grep gdm                               ~ (12:59PM)
root      5688  0.0  0.4  10164  2372 ?        Ss   Mar08   0:00 /usr/bin/gdm
root     19849  0.0  0.5  10492  2844 ?        S    Mar10   0:00 /usr/bin/gdm


On Fri, 11 Mar 2005 18:51:44 +0100, Xan <DXpublica at telefonica.net> wrote:
> Hi,
> 
> I observe that in gdm.conf there are the lines:
> 
> # Reboot, Halt and suspend commands, you can add different commands
> # separated by a semicolon and gdm will use the first one it can find
> RebootCommand=/sbin/shutdown -r now "Rebooted from gdm menu."
> HaltCommand=/sbin/shutdown -h now "Halted from gdm menu."
> SuspendCommand=/usr/sbin/pmi action sleep
> HibernateCommand=/usr/sbin/pmi action hibernate
> 
> and I asked if this should be substituted by "sudo [command]" and put gdm in
> sudoers file that "only" could shutdown the system (perhaps a good solution
> was add a group called "shutdowners" and add gdm to that group).
> 
> I ask that because ubuntu has a "secure policy" that root account is disable
> by default and "only" root should could shutdown, isn't?
> 
> What do you think about that?. I ask you with the best intention, as a desktop
> user that follow ubuntu movement.
> 
> Thank you very much,
> Xan.
> 
> PS: For the other hand, a trouble (this is not important; I'm sure it's
> trivial):
> 
> My sudoers file (that is default file) is:
> Defaults        !lecture,tty_tickets,!fqdn
> 
> # User privilege specification
> root    ALL=(ALL) ALL
> 
> # Members of the admin group may gain root privileges
> %admin  ALL=(ALL) ALL
> ~
> 
> and groups is:
> 
> root:x:0:
> daemon:x:1:
> bin:x:2:
> sys:x:3:
> adm:x:4:xan
> tty:x:5:
> disk:x:6:
> lp:x:7:cupsys
> mail:x:8:
> news:x:9:
> uucp:x:10:
> man:x:12:
> proxy:x:13:
> kmem:x:15:
> dialout:x:20:xan,cupsys
> fax:x:21:
> voice:x:22:
> cdrom:x:24:xan,hal
> floppy:x:25:xan,hal
> tape:x:26:
> sudo:x:27:
> audio:x:29:xan
> dip:x:30:xan
> www-data:x:33:
> backup:x:34:
> operator:x:37:
> list:x:38:
> irc:x:39:
> src:x:40:
> gnats:x:41:
> shadow:x:42:
> utmp:x:43:
> video:x:44:xan
> sasl:x:45:
> plugdev:x:46:xan,hal
> staff:x:50:
> games:x:60:
> users:x:100:
> nogroup:x:65534:
> crontab:x:101:
> ssh:x:102:
> postfix:x:103:
> postdrop:x:104:
> syslog:x:105:
> klog:x:106:
> xan:x:1000:
> lpadmin:x:107:xan
> scanner:x:108:xan
> admin:x:109:xan
> messagebus:x:110:
> hal:x:111:
> slocate:x:112:
> saned:x:113:
> gdm:x:114:
> 
> gdm not belongs to admin. So why it can shutdown my system?
> 
> --
> ubuntu-devel mailing list
> ubuntu-devel at lists.ubuntu.com
> http://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
> 


-- 
Adam C. Greenfield
<adam.greenfield at gmail.com>

More information about the ubuntu-devel mailing list