Martin Pitt martin.pitt at
Thu Nov 24 03:00:53 CST 2005


The current spec [1] for hiding administrative menu entries from users
who do not have the rights to execute them proposes to use sudo for
determining the user privileges. However, there is an intrinsic
conflict in the current approach.

In the current implementation 'sudo -t <command>' will do exactly the 	
same barking as 'sudo <command>' would do, in order to not weaken
security checks. I. e. when an user tries to do sudo -t with a command
he does not have privileges for, there will be a log entry in
auth.log, and worse, sudo sends an email to root about the violation.

That means that everytime a non-admin user would log into Gnome, root
would receive maybe 15 unjustified sudo emails, since gnome-menus has
to check (sudo -t) all desktop files which are marked as 'needs root

Disabling the logging with -t is very bad on servers, since it would
essentially mean that an intruder would not cause any logging any more
when he pokes around with sudo -t until he finds a command he can
execute. On desktop this is not a problem, using sudo under X is
already way more dangerous than a missing logging could ever be.

I see two options that are worth discussing:

 (1) Do the test at a higher level:

     sudo --check-desktop-file <desktop file>

   does not log failures if the desktop file is owned by root.

 (2) Make this configurable and set appropriate defaults at
     installation (ubuntu-server or ubuntu-desktop).

I prefer solution (1) since it does what we actually want; (2) is a
bit handwavy, since you can use a normal Ubuntu CD to install a
server, etc.

Any thoughts appreciated!




Martin Pitt
Ubuntu Developer
Debian Developer

In a world without walls and fences, who needs Windows and Gates?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :

More information about the ubuntu-devel mailing list