0

In Fedora, I am surprised that if my administrator account does not have a password, sudo, gksu and gksudo won't prompt me for one! (it is not caused by /etc/sudoers). In Ubuntu, they will ask me for a password and if I give it an empty one, they will not let me pass.

  1. How does Fedora do this? (what are the technical design details in Fedora that causes this behavior?)
  2. How can I make Ubuntu behave like this? (how to configure Ubuntu to act like Fedora in this regard?)

Similar questions have been asked many times before, but they only address sudo and not gksu, gksudo nor any other graphical tool. Also, neither sudo -i nor editing /etc/sudoers is needed; this is default Fedora behavior.

Of course this is probably not recommended, I just ask this so that I can learn more about how Linux works.

Community
  • 1
ThePiercingPrince
  • 688
  • As for the recent edit that added for reopening request, How do you know that Fedora doesn't modify the /etc/sudoers file? And both gksu and gksudo are graphical counterpart of sudo. – Anwar Aug 24 '15 at 05:26
  • @AnwarShah In Fedora, the lines with "NOPASSWD" in /etc/sudoers are commented out. Also, you can easily reproduce this Fedora behavior. Get a fresh Fedora installation, use sudo passwd -d to delete admin account. Log in to the admin account without a password and, for example, click "Unlock" in "User Accounts" (or "Users" or something similar) within "System Settings". It won't ask the password. – ThePiercingPrince Aug 24 '15 at 06:02
  • You add the fact into the question that, Fedora's implementation of this is not like the one which disables password in /etc/sudoers as the referenced question asked. There was other mechanism working. I'll support to reopen then. Make your argument strong. – Anwar Aug 24 '15 at 06:39
  • @ThePiercingPrince that behaviour is not governed by suoders configuration, but by PolKit configuration. – muru Aug 24 '15 at 06:39
  • 1
    I have voted to re-open as well. There are two separate privilege escalation systems here, sudo and Polkit, and their configuration is independent. However, both support PAM, and the common-auth PAM configuration in Ubuntu has the pam_unix module with the nullok_secure option which prevents empty passwords from being used outside of TTYs mentioned in /etc/securetty. I'm pretty sure that's the cause here. – muru Aug 24 '15 at 06:48
  • I've given my re-open vote too! – Anwar Aug 24 '15 at 06:52
  • @muru How to get this behavior in Ubuntu? – ThePiercingPrince Aug 24 '15 at 08:20

1 Answers1

1

First, a note about the security systems involved: sudo and gksudo are governed by sudoers, but much of the GUI uses polkit, whose configuration is independent of sudoers. There are not many common factors:

  1. Ubuntu uses the sudo group to grant administrative privileges in both systems.
  2. Both support PAM, so PAM configuration can affect both.

In particular, Fedora's default PAM configuration has:

$ grep 'auth.*pam_unix' /etc/pam.d -R
/etc/pam.d/password-auth-ac:auth        sufficient    pam_unix.so nullok try_first_pass
/etc/pam.d/system-auth-ac:auth        sufficient    pam_unix.so nullok try_first_pass
/etc/pam.d/system-auth:auth        sufficient    pam_unix.so nullok try_first_pass
/etc/pam.d/vmtoolsd:auth       sufficient       pam_unix2.so nullok
/etc/pam.d/vmtoolsd:auth       sufficient       pam_unix.so shadow nullok
/etc/pam.d/vmtoolsd:auth       required         pam_unix_auth.so shadow nullok
/etc/pam.d/password-auth:auth        sufficient    pam_unix.so nullok try_first_pass

Contrast Ubuntu:

$ grep 'auth.*pam_unix' /etc/pam.d -R
/etc/pam.d/common-account:account   [success=2 new_authtok_reqd=done default=ignore]    pam_unix.so 
/etc/pam.d/common-auth:auth [success=2 default=ignore]  pam_unix.so nullok_secure

The important point is nullok_secure being set for pam_unix in Ubuntu vs nullok in Fedora. According to man pam_unix:

nullok
   The default action of this module is to not permit the user access
   to a service if their official password is blank. The nullok
   argument overrides this default and allows any user with a blank
   password to access the service.

nullok_secure
   The default action of this module is to not permit the user access
   to a service if their official password is blank. The nullok_secure
   argument overrides this default and allows any user with a blank
   password to access the service as long as the value of PAM_TTY is
   set to one of the values found in /etc/securetty.

Now, /etc/securetty does contain :0 and other command values for graphical sessions, so gksudo, for example, will work with empty passwords.

# Local X displays (allows empty passwords with pam_unix's nullok_secure)
:0
:0.0
:0.1
:1
:1.0
:1.1
:2
:2.0
:2.1
:3
:3.0
:3.1
#...

Polkit, on the other hand, seems to leave PAM_TTY unset, so securetty doesn't affect it. sudo, of course, won't work, since you always run sudo from a terminal, and the pseudoterminal allocated to it (/dev/ptsX) won't be mentioned in /etc/securetty. You can, however, use sudo in the TTYs.

So how do we make Ubuntu like Fedora? Just change nullok_secure in common-auth to nullok:

sudo sed -i.bak '/pam_unix/s/nullok_secure/nullok' /etc/pam.d/common-auth
muru
  • 197,895
  • 55
  • 485
  • 740