KUbuntu, root passwords and broken authentication (was Re: Ubuntu & Linspire)

[Gene Heskett]

On Friday 09 February 2007 01:11, Daniel Pittman wrote:
>"Scott Mazur" <kubuntulists at littlefish.ca> writes:
>> On Fri, 09 Feb 2007 12:26:07 +1100, Daniel Pittman wrote
>>
>>> Joe Hart <j.hart at orange.nl> writes:
>>> > Jonathan Jesse wrote:
>
>[...]
>
>>> > Sudo/Root?
>>>
>>> Good security practice?  Is it that hard for a "hardcore" user to run
>>> 'sudo passwd root' -- I mean, seriously.
>>>
>>> These are the "hardcore!"  They know how to use the command line, and
>>> it isn't like Ubuntu prevents you setting a root password -- or even
>>> blinks if you do.
>>
>> I agree (or have no opinion) about everything you've said up to this
>> point. It's true Kubuntu doesn't prevent you from setting a root
>> password (I've done so myself, becuase that's just the kind of user I
>> am).
>
>So have I, in the past, for a variety of reasons.
>
>> But it's not true there are no consequences to this.  Every (and I
>> mean EVERY) configurable option in KDE that needs admin rights prompts
>> for a password.  Out of the box that's fine (whether you agree it
>> should be any old user password or root only).
>
>*nod*
>
>> But once you set a root password none of the KDE password prompts
>> work.
>
>Ouch.  Which version of KUbuntu was this (fairly serious) bug introduced
>in?  This worked in the past, though I don't have a GUI enabled system
>with a root password at present.

Its pretty true for kubuntu-6.06.

>> Regardless of the password you type in (root or user) it's wrong and
>> does not authenticate.  So by setting a root password you are forced
>> to login as root to make admin changes for ever more.

No, root can edit the pw and group files, removing himself, and the old 
way works again.

>That would be a nasty problem and a good argument that the current sudo
>setup is, indeed, somewhat broken.
>
>> And it's damned annoying being prompted for a password in KDE when you
>> know darned well it's not going to work.
>
The only reason it doesn't work for me is that the new user (or root) 
doesn't have privileges on the currently running xscreen.  But I found an 
xhost command that fixes that.
 
>Absolutely.  Do you have any idea /why/ it doesn't work any longer?
>
>As far as I knew the kdesu simply ran sudo to achieve root access; sudo
>doesn't care one way or the other if root has a password or not.
>
>I can't see anything in the source code that would cause this either.
>Very strange and annoying.  Oh, well, let me test this out...
>
>OK, root has a password and I can su to root successfully.
>
>Now, to try an admin requiring KDE operation ... and no.  It all just
>worked, exactly as I would expect.  I can run both GUI and console
>applications through kdesu -- as expected -- after assigning a root
>password.
>
>So, with Edgy this definitely works out of the box as expected.
>
>> It shouldn't have to be that way.  Everyone should set a root password
>> just to understand how mucked this action makes your system before
>> commenting on how 'trivial sudo is'.  That by and far is my biggest
>> grudge against Kubuntu, and yes weighted against the things I like
>> about Kubuntu, so far things balance out.
>
>Well, since you undoubtedly did encounter this problem I would encourage
>you to try and replicate it and, then, report it as a bug.  It is, after
>all, precisely that -- a bug somewhere in the system.
>
>>> > Wacom devices in xorg.conf?

Wacom?  I have an ArtPadII, but its serial and I'm out of ports.  I should 
see if it works through a pl2303 usb-seriel cable I have.  Thanks for 
reminding me.

>>> I guess "hardcore" users don't own Wacom tablets, but they do own USB
>>> mice, right?
>>>
>>> I infer this because you whine about Wacom tablets being configured
>>> to work "out of the box" but we don't hear complaints that xorg.conf
>>> contains definitions for USB mice...
>>
>> You don't hear complaints about definitions for USB mice because they
>> don't generate warnings about missing devices everytime you start an
>> application in X.
>
>Have you tried running X applications under Ubuntu on a custom kernel
>without the mouse support built in?  It will, after all, generate
>warnings then. :)
>
>> When they do, advice is given to fix the config, not 'ignore the
>> error'. I want to be clear about something: Developers spend time
>> making code work. They don't spend time making writing (let alone
>> testing) 'exception' events to ensure they've cleaned up properly.
>> What you see as a harmless X error that means nothing and should just
>> as well be sent to the NULL bucket, I see as a hole in the code (in
>> this case X, which is a big part of the system to have a hole in).
>
>Yeah.  The lack of support for hotplug or dynamic management of input
>and output devices in the X code is a pretty serious lack -- especially
>in this day and age.
>
>Thankfully Keith Packard is resolving that, and we can expect x.org 7.2
>(which may make Feisty and will make the release after that) to resolve
>this problem.
>
>Then, finally, when you add a new keyboard (or Wacom tablet, or
>whatever) X will be able to notice that, load the driver and start using
>it.
>
>[...]
>
>> Ignoring the messages that was given is just plain bad advice.
>> Encouraging it is irresponsible.
>
>I think, personally, that the Ubuntu developers made the right trade-off
>of problems here.  More hardware working out of the box[1] is a
>reasonably trade-off against a few years where unpleasant warnings[2]
>are emitted seems a reasonable engineering decision to me.
>
>There is no right answer here, only different bad choices.
>
>Regards,
>	Daniel
>
>Footnotes:
>[1]  ...even if Wacom devices /should/ have worked through the Linux
>     input event system years ago, and X should have supported that
>     years ago.
>
>[2]  ...which don't bother most users.
>
>--
>Digital Infrastructure Solutions -- making IT simple, stable and secure
>Phone: 0401 155 707        email: contact at digital-infrastructure.com.au
>                 http://digital-infrastructure.com.au/

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2007 by Maurice Eugene Heskett, all rights reserved.