0

In Fedora, I am surprised that if my administrator account does not have a password, sudo, gksu and gksudo won't prompt me for one! (it is not caused by /etc/sudoers). In Ubuntu, they will ask me for a password and if I give it an empty one, they will not let me pass.

  1. How does Fedora do this? (what are the technical design details in Fedora that causes this behavior?)
  2. How can I make Ubuntu behave like this? (how to configure Ubuntu to act like Fedora in this regard?)

Similar questions have been asked many times before, but they only address sudo and not gksu, gksudo nor any other graphical tool. Also, neither sudo -i nor editing /etc/sudoers is needed; this is default Fedora behavior.

Of course this is probably not recommended, I just ask this so that I can learn more about how Linux works.

Community
  • 1
ThePiercingPrince
  • 698

1 Answers1

1

First, a note about the security systems involved: sudo and gksudo are governed by sudoers, but much of the GUI uses polkit, whose configuration is independent of sudoers. There are not many common factors:

  1. Ubuntu uses the sudo group to grant administrative privileges in both systems.
  2. Both support PAM, so PAM configuration can affect both.

In particular, Fedora's default PAM configuration has:

$ grep 'auth.*pam_unix' /etc/pam.d -R
/etc/pam.d/password-auth-ac:auth        sufficient    pam_unix.so nullok try_first_pass
/etc/pam.d/system-auth-ac:auth        sufficient    pam_unix.so nullok try_first_pass
/etc/pam.d/system-auth:auth        sufficient    pam_unix.so nullok try_first_pass
/etc/pam.d/vmtoolsd:auth       sufficient       pam_unix2.so nullok
/etc/pam.d/vmtoolsd:auth       sufficient       pam_unix.so shadow nullok
/etc/pam.d/vmtoolsd:auth       required         pam_unix_auth.so shadow nullok
/etc/pam.d/password-auth:auth        sufficient    pam_unix.so nullok try_first_pass

Contrast Ubuntu:

$ grep 'auth.*pam_unix' /etc/pam.d -R
/etc/pam.d/common-account:account   [success=2 new_authtok_reqd=done default=ignore]    pam_unix.so 
/etc/pam.d/common-auth:auth [success=2 default=ignore]  pam_unix.so nullok_secure

The important point is nullok_secure being set for pam_unix in Ubuntu vs nullok in Fedora. According to man pam_unix:

nullok
   The default action of this module is to not permit the user access
   to a service if their official password is blank. The nullok
   argument overrides this default and allows any user with a blank
   password to access the service.

nullok_secure
   The default action of this module is to not permit the user access
   to a service if their official password is blank. The nullok_secure
   argument overrides this default and allows any user with a blank
   password to access the service as long as the value of PAM_TTY is
   set to one of the values found in /etc/securetty.

Now, /etc/securetty does contain :0 and other command values for graphical sessions, so gksudo, for example, will work with empty passwords.

# Local X displays (allows empty passwords with pam_unix's nullok_secure)
:0
:0.0
:0.1
:1
:1.0
:1.1
:2
:2.0
:2.1
:3
:3.0
:3.1
#...

Polkit, on the other hand, seems to leave PAM_TTY unset, so securetty doesn't affect it. sudo, of course, won't work, since you always run sudo from a terminal, and the pseudoterminal allocated to it (/dev/ptsX) won't be mentioned in /etc/securetty. You can, however, use sudo in the TTYs.

So how do we make Ubuntu like Fedora? Just change nullok_secure in common-auth to nullok:

sudo sed -i.bak '/pam_unix/s/nullok_secure/nullok' /etc/pam.d/common-auth
muru
  • 207,228