i can start apps with root-privilages without entering the password

pepe123 · #1 19th June 2007, 12:31 PM

i have fc7 with all up-to-date updates. i use kde and i noticed some strange behaviour:

usually some "apps" like SELinux manger, date&time etc require a root passw to run (as it should be). and in kde there is a option for the cursor to bounce for up to 30 sec. when starting apps.

so when I start (for instance) SElinux Manager i have time (up to 30 sec) to start any other app that require root-passw without actually entering the passw itself. after these 30 sec, or when i close/terminate the first app i need to reenter the root-passw again.

Can someone help me to disable this

hceylan · #2 19th June 2007, 07:37 PM

Do you see an icon on the notification applet that says "keep authorization"/"Forget authorization"

That might be the cause. If you close the privileged application, this sometimes automaticly forgets authorization

Hasan Ceylan

pepe123 · #3 19th June 2007, 07:45 PM

Quote:

Originally Posted by hceylan

Do you see an icon on the notification applet that says "keep authorization"/"Forget authorization"

That might be the cause. If you close the privileged application, this sometimes automaticly forgets authorization

Hasan Ceylan

There is absolutely no icon, no message, nothing. (I even didn't know, there should be one

)

hceylan · #4 19th June 2007, 08:01 PM

I occasionally see it is in the shape of a yellow shield.. Just though this could be...

Sorry for not working out...

Hasan Ceylan

sideways · #5 19th June 2007, 08:12 PM

You can specify the number of seconds the authorization lasts for by adding a timestamp_timeout=secs directive to the auth timestamp.so line in /etc/pam.d/config-util

eg to set it to zero use

Code:

auth            sufficient      pam_timestamp.so timestamp_timeout=0

Now you will always have to type in the root password for config utils even if one has just been opened and the password enterered (alternatively set it really high, for a really insecure system, that won't prompt for passwords too much)

hceylan · #6 19th June 2007, 08:15 PM

pepe123 I think that was profitable day for both of us

Thanks for the tip sideways

pepe123 · #7 21st June 2007, 04:27 PM

Quote:

Originally Posted by hceylan

pepe123 I think that was profitable day for both of us

Thanks for the tip sideways

Therefore I switched from opensuse10.2 opensuse is a great linux distro, but I like fedora more. there are more packages and a great community support for fedora. I just like it despite of the problems.

By the way, after applying the timestamp_timeout=0, there are sometimes (a lot rare, though) some apps that still can be started without a root-passwd. I think it is a problem of some selinux-policy, e.g while checking for permission i have some secs to start something else.

sideways · #8 21st June 2007, 04:53 PM

some of the config utils have their own timestamp config, system-config-selinux is one, system-config-lvm is another, just apply the same directive in the relevant /etc/pam.d/ module

edit

that might be system-config-securitylevel, sorry, I think it changed between fc6 and f7?